Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

NAT mode

In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal network to access the FTP server.

This configuration requires the following steps:

  1. Configure VDOM-A
  2. Configure VDOM-B
  3. Configure the VDOM link

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network
  • A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Name

    internal-network

    Type

    Subnet

    Subnet / IP Range

    192.168.10.0/255.255.255.0

    Interface

    port1

  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-A
        config firewall address
            edit internal-network
                set associated-interface port1
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.201.7

    Interface

    wan1

    Distance

    10

  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-A
        config router static
            edit 0
                set gateway 172.20.201.7
                set device wan1
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    VDOM-A-Internet

    Incoming Interface

    port1

    Outgoing Interface

    wan1

    Source

    internal-network

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    enabled

  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-A
        config firewall policy
            edit 1
                set name "VDOM-A-Internet"
                set srcintf "port1"
                set dstintf "wan1"
                set srcaddr "internal-network"
                set dstaddr "all"
                set action accept
                set schedule "always"
                set service "ALL"
                set nat enable
            next
        end
    next
end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server
  • A virtual IP address for the FTP server
  • A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    FTP-server

    Type

    Subnet

    Subnet / IP Range

    192.168.20.10/32

    Interface

    port2

    Show in Address List

    enabled

  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-B
        config firewall address
            edit FTP-server
                set associated-interface port2
                set subnet 192.168.20.10 255.255.255.255
            next
        end
    next
end
To add the virtual IP address in the GUI:
  1. Go to Policy & Objects > Virtual IPs and create a new virtual IP address.
  2. Enter the following information:

    Name

    FTP-server-VIP

    Interface

    wan2

    External IP Address/Range

    172.25.177.42

    Internal IP Address/Range

    192.168.20.10

  3. Click OK.
To add the virtual IP address with the CLI:
config vdom
    edit VDOM-B
        config firewall vip 
            edit FTP-server-VIP
                set extip 172.25.177.42
                set extintf wan2
                set mappedip 192.168.20.10
            next
        end 
    next
end
To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.10.10

    Interface

    wan2

    Distance

    10

  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-B
        config router static
            edit 0
                set gateway 172.20.10.10
                set device wan2
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    Access-server

    Incoming Interface

    wan2

    Outgoing Interface

    port2

    Source

    all

    Destination

    FTP-server-VIP

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

    NAT

    enabled

  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-B
        config firewall policy
            edit 1
                set name "Access-server"
                set srcintf "wan2"
                set dstintf "port2"
                set srcaddr "all"
                set dstaddr "FTP-server-VIP"
                set action accept
                set schedule "always"
                set service "FTP"
                set nat enable
            next
        end
    next
end

Configure the VDOM link

The VDOM link allows connections from VDOM-A to VDOM-B. This allows users on the internal network to access the FTP server through the FortiGate.

The configuration for the VDOM link includes the following:

  • The VDOM link interface
  • Firewall addresses for the FTP server on VDOM-A and for the internal network on VDOM-B
  • Static routes for the FTP server on VDOM-A and for the internal network on VDOM-B
  • Policies allowing traffic using the VDOM link

All procedures in this section require you to connect to the global VDOM using a global administrator account.

To add the VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces and select Create New > VDOM link.
  2. Enter the following information:

    Name

    VDOM-link

    Interface 0

     

    Virtual Domain

    VDOM-A

    IP/Netmask

    0.0.0.0/0.0.0.0

    Interface 1

     

    Virtual Domain

    VDOM-B

    IP/Netmask

    0.0.0.0/0.0.0.0

  3. Click OK.
To add the VDOM link with the CLI:
config global
    config system vdom-link
        edit "VDOM-link"
        next
    end
end
To add the firewall address on VDOM-A in the GUI:
  1. In the VDOM-A VDOM, go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    FTP-server

    Type

    Subnet

    Subnet / IP Range

    192.168.20.10/32

    Interface

    VDOM-link0

    Show in Address List

    enabled

    Static Route Configuration

    enabled

To add the firewall addresses on VDOM-A with the CLI:
config vdom
    edit VDOM-A
        config firewall address
            edit "FTP-server"
                set associated-interface "VDOM-link0"
                set allow-routing enable
                set subnet 192.168.20.10 255.255.255.255
            next
        end
    next
end
To add the static route on VDOM-A in the GUI:
  1. Connect to VDOM-A.
  2. Go to Network > Static Routes and create a new route.
  3. Enter the following information:

    Destination

    Named Address

    Named Address

    FTP-server

    Gateway

    0.0.0.0

    Interface

    VDOM-link0

To add the static route on VDOM-A with the CLI:
config vdom
    edit VDOM-A
        config router static 
            edit 0
                set device VDOM-link0
                set dstaddr FTP-server 
            next
        end
    next
end
To add the security policy on VDOM-A in the GUI:
  1. In the VDOM-A VDOM, go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    Access-FTP-server

    Incoming Interface

    port1

    Outgoing Interface

    VDOM-link0

    Source

    internal-network

    Destination

    FTP-server

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

    NAT

    disabled

  3. Click OK.
To add the security policy on VDOM-A with the CLI:
config vdom
    edit VDOM-A
        config firewall policy 
            edit 0
                set name Access-FTP-server
                set srcintf port1
                set dstintf VDOM-link0
                set srcaddr internal-network
                set dstaddr FTP-server
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end
To add the firewall address on VDOM-B in the GUI:
  1. In the VDOM-B VDOM, go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    internal-network

    Type

    Subnet

    Subnet / IP Range

    192.168.10.0/24

    Interface

    VDOM-link1

    Show in Address List

    enabled

    Static Route Configuration

    enabled

  3. Click OK.
To add the firewall addresses on VDOM-B with the CLI:
config vdom
    edit VDOM-B
        config firewall address
            edit internal-network
                set associated-interface VDOM-link1
                set allow-routing enable
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
To add the static route on VDOM-B in the GUI:
  1. In the VDOM-B VDOM, go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Named Address

    Named Address

    internal-network

    Gateway

    0.0.0.0

    Interface

    VDOM-link1

  3. Click OK.
To add the static route on VDOM-B with the CLI:
config vdom
    edit VDOM-B
        config router static 
            edit 0
                set device VDOM-link1
                set dstaddr internal-network 
            next
        end
    next
end
To add the security policy on VDOM-B in the GUI:
  1. In the VDOM-B VDOM, go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    Internal-server-access

    Incoming Interface

    VDOM-link1

    Outgoing Interface

    port2

    Source

    internal-network

    Destination

    FTP-server

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

    NAT

    disabled

  3. Click OK.
To add the security policy on VDOM-B with the CLI:
config vdom
    edit VDOM-B
        config firewall policy 
            edit 0
                set name Internal-server-access
                set srcintf VDOM-link1
                set dstintf port2
                set srcaddr internal-network
                set dstaddr FTP-server
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end

NAT mode

In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal network to access the FTP server.

This configuration requires the following steps:

  1. Configure VDOM-A
  2. Configure VDOM-B
  3. Configure the VDOM link

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network
  • A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Name

    internal-network

    Type

    Subnet

    Subnet / IP Range

    192.168.10.0/255.255.255.0

    Interface

    port1

  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-A
        config firewall address
            edit internal-network
                set associated-interface port1
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.201.7

    Interface

    wan1

    Distance

    10

  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-A
        config router static
            edit 0
                set gateway 172.20.201.7
                set device wan1
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    VDOM-A-Internet

    Incoming Interface

    port1

    Outgoing Interface

    wan1

    Source

    internal-network

    Destination

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

    NAT

    enabled

  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-A
        config firewall policy
            edit 1
                set name "VDOM-A-Internet"
                set srcintf "port1"
                set dstintf "wan1"
                set srcaddr "internal-network"
                set dstaddr "all"
                set action accept
                set schedule "always"
                set service "ALL"
                set nat enable
            next
        end
    next
end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server
  • A virtual IP address for the FTP server
  • A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:
  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    FTP-server

    Type

    Subnet

    Subnet / IP Range

    192.168.20.10/32

    Interface

    port2

    Show in Address List

    enabled

  3. Click OK.
To add the firewall addresses with the CLI:
config vdom
    edit VDOM-B
        config firewall address
            edit FTP-server
                set associated-interface port2
                set subnet 192.168.20.10 255.255.255.255
            next
        end
    next
end
To add the virtual IP address in the GUI:
  1. Go to Policy & Objects > Virtual IPs and create a new virtual IP address.
  2. Enter the following information:

    Name

    FTP-server-VIP

    Interface

    wan2

    External IP Address/Range

    172.25.177.42

    Internal IP Address/Range

    192.168.20.10

  3. Click OK.
To add the virtual IP address with the CLI:
config vdom
    edit VDOM-B
        config firewall vip 
            edit FTP-server-VIP
                set extip 172.25.177.42
                set extintf wan2
                set mappedip 192.168.20.10
            next
        end 
    next
end
To add a default route in the GUI:
  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Subnet

    IP address

    0.0.0.0/0.0.0.0

    Gateway

    172.20.10.10

    Interface

    wan2

    Distance

    10

  3. Click OK.
To add a default route with the CLI:
config vdom
    edit VDOM-B
        config router static
            edit 0
                set gateway 172.20.10.10
                set device wan2
            next
        end
    next
end
To add the security policy in the GUI:
  1. Go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    Access-server

    Incoming Interface

    wan2

    Outgoing Interface

    port2

    Source

    all

    Destination

    FTP-server-VIP

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

    NAT

    enabled

  3. Click OK.
To add the security policy with the CLI:
config vdom
    edit VDOM-B
        config firewall policy
            edit 1
                set name "Access-server"
                set srcintf "wan2"
                set dstintf "port2"
                set srcaddr "all"
                set dstaddr "FTP-server-VIP"
                set action accept
                set schedule "always"
                set service "FTP"
                set nat enable
            next
        end
    next
end

Configure the VDOM link

The VDOM link allows connections from VDOM-A to VDOM-B. This allows users on the internal network to access the FTP server through the FortiGate.

The configuration for the VDOM link includes the following:

  • The VDOM link interface
  • Firewall addresses for the FTP server on VDOM-A and for the internal network on VDOM-B
  • Static routes for the FTP server on VDOM-A and for the internal network on VDOM-B
  • Policies allowing traffic using the VDOM link

All procedures in this section require you to connect to the global VDOM using a global administrator account.

To add the VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces and select Create New > VDOM link.
  2. Enter the following information:

    Name

    VDOM-link

    Interface 0

     

    Virtual Domain

    VDOM-A

    IP/Netmask

    0.0.0.0/0.0.0.0

    Interface 1

     

    Virtual Domain

    VDOM-B

    IP/Netmask

    0.0.0.0/0.0.0.0

  3. Click OK.
To add the VDOM link with the CLI:
config global
    config system vdom-link
        edit "VDOM-link"
        next
    end
end
To add the firewall address on VDOM-A in the GUI:
  1. In the VDOM-A VDOM, go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    FTP-server

    Type

    Subnet

    Subnet / IP Range

    192.168.20.10/32

    Interface

    VDOM-link0

    Show in Address List

    enabled

    Static Route Configuration

    enabled

To add the firewall addresses on VDOM-A with the CLI:
config vdom
    edit VDOM-A
        config firewall address
            edit "FTP-server"
                set associated-interface "VDOM-link0"
                set allow-routing enable
                set subnet 192.168.20.10 255.255.255.255
            next
        end
    next
end
To add the static route on VDOM-A in the GUI:
  1. Connect to VDOM-A.
  2. Go to Network > Static Routes and create a new route.
  3. Enter the following information:

    Destination

    Named Address

    Named Address

    FTP-server

    Gateway

    0.0.0.0

    Interface

    VDOM-link0

To add the static route on VDOM-A with the CLI:
config vdom
    edit VDOM-A
        config router static 
            edit 0
                set device VDOM-link0
                set dstaddr FTP-server 
            next
        end
    next
end
To add the security policy on VDOM-A in the GUI:
  1. In the VDOM-A VDOM, go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    Access-FTP-server

    Incoming Interface

    port1

    Outgoing Interface

    VDOM-link0

    Source

    internal-network

    Destination

    FTP-server

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

    NAT

    disabled

  3. Click OK.
To add the security policy on VDOM-A with the CLI:
config vdom
    edit VDOM-A
        config firewall policy 
            edit 0
                set name Access-FTP-server
                set srcintf port1
                set dstintf VDOM-link0
                set srcaddr internal-network
                set dstaddr FTP-server
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end
To add the firewall address on VDOM-B in the GUI:
  1. In the VDOM-B VDOM, go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:

    Address Name

    internal-network

    Type

    Subnet

    Subnet / IP Range

    192.168.10.0/24

    Interface

    VDOM-link1

    Show in Address List

    enabled

    Static Route Configuration

    enabled

  3. Click OK.
To add the firewall addresses on VDOM-B with the CLI:
config vdom
    edit VDOM-B
        config firewall address
            edit internal-network
                set associated-interface VDOM-link1
                set allow-routing enable
                set subnet 192.168.10.0 255.255.255.0
            next
        end
    next
end
To add the static route on VDOM-B in the GUI:
  1. In the VDOM-B VDOM, go to Network > Static Routes and create a new route.
  2. Enter the following information:

    Destination

    Named Address

    Named Address

    internal-network

    Gateway

    0.0.0.0

    Interface

    VDOM-link1

  3. Click OK.
To add the static route on VDOM-B with the CLI:
config vdom
    edit VDOM-B
        config router static 
            edit 0
                set device VDOM-link1
                set dstaddr internal-network 
            next
        end
    next
end
To add the security policy on VDOM-B in the GUI:
  1. In the VDOM-B VDOM, go to Policy & Objects > Firewall Policy and create a new policy.
  2. Enter the following information:

    Name

    Internal-server-access

    Incoming Interface

    VDOM-link1

    Outgoing Interface

    port2

    Source

    internal-network

    Destination

    FTP-server

    Schedule

    always

    Service

    FTP

    Action

    ACCEPT

    NAT

    disabled

  3. Click OK.
To add the security policy on VDOM-B with the CLI:
config vdom
    edit VDOM-B
        config firewall policy 
            edit 0
                set name Internal-server-access
                set srcintf VDOM-link1
                set dstintf port2
                set srcaddr internal-network
                set dstaddr FTP-server
                set action accept
                set schedule always
                set service FTP
            next
        end
    next
end