Fortinet white logo
Fortinet white logo

New Features

Support for LAN extension VDOM simplifications 7.4.2

Support for LAN extension VDOM simplifications 7.4.2

Note

This information is also available in the FortiOS 7.4 Administration Guide:

VDOM configuration for the FortiGate LAN extension has been simplified. When you configure the FortiGate LAN extension VDOM, FortiOS automatically configures a VDOM link between a traffic VDOM, which is by default the root VDOM, and the LAN extension VDOM.

After connecting to the FortiGate Controller, the following settings are automatically configured on the FortiGate Connector:

  • VDOM link interface in the LAN extension VDOM is a part of the LAN extension software switch.

  • VDOM link interface in the traffic VDOM is dynamically assigned an IP address obtained through the FortiGate Controller.

This feature supports the FortiGate secure edge for FortiSASE.

Example

This example demonstrates how to configure the FortiGate Connector to connect to FortiSASE as the FortiGate Controller.

To configure the FortiGate Connector using the CLI:
  1. Enable multi-VDOM mode from the CLI:

    config system global set vdom-mode multi-vdom end

  2. Verify that the FortiExtender setting is enabled in the global VDOM:

    # config global # show full system global | grep fortiextender -f … set fortiextender enable

  3. Create a new LAN extension VDOM with the LAN extension controller address as the FortiSASE domain name.

    See Connecting FortiGate to FortiSASE using GUI and CLI for details on how to find the FortiSASE domain name.

    In this example, the VDOM name is ext, and the FortiSASE domain name is turbo-a1p0hv3p.edge.prod.fortisase.com.

    config vdom edit ext config system settings set vdom-type lan-extension set lan-extension-controller-addr turbo-a1p0hv3p.edge.prod.fortisase.com set ike-port 4500 end next end

  4. Move interfaces from the root VDOM to the new LAN extension VDOM, and set the appropriate WAN and LAN roles.

    • Before moving an interface to a new VDOM, delete all references, such as firewall policies or firewall objects. See Finding object dependencies.
    • If interfaces are already part of a hardware switch, remove them from the hardware switch to make them available for the new VDOM. See Hardware switch.

    In this example from the global VDOM, the WAN1 and internal1 interfaces are moved to the LAN extension VDOM named ext, and their roles are set appropriately as wan and lan.

    config global config system interface edit WAN1 set vdom "ext" set role wan next edit internal1 set vdom "ext" set role lan next end end

  5. For the WAN interface within the LAN extension VDOM, edit the interface and ensure that Security Fabric connections are allowed:

    config vdom edit ext config system interface edit WAN1 set allowaccess ping fabric next end next end

    This configuration assumes that the WAN and LAN interfaces are already configured with static IP addresses or configured to use DHCP accordingly.

  6. (Optional) If your LAN extension VDOM is not configured as the management VDOM, and you require a custom DNS server to resolve the FortiGate Controller hostname, then you must configure the VDOM DNS settings within the VDOM:

    config vdom edit ext config system vdom-dns set vdom-dns enable set primary 1.2.3.4 set secondary 2.3.4.5 end next end

  7. After the LAN extension VDOM connects to FortiSASE, observe from the global VDOM under Network > Interfaces:

    • A VDOM link ivl-lan-ext is created.
    • The VDOM link interface in the LAN extension VDOM (ivl-lan-ext1) is part of the le-switch LAN extension software switch. Network connectivity to the FortiGate Controller (that is, to FortiSASE) is achieved through the software switch.
    • The VDOM link interface in the traffic (root) VDOM (ivl-lan-ext0) has obtained an IP address dynamically from the FortiGate Controller.

      The traffic VDOM can be used to:

      • Apply application steering to the local internet connection or to FortiGate Controller network (FortiSASE) using SD-WAN.
      • Apply local security features for traffic egressing the local internet connection, such as antivirus, intrusion prevention security (IPS), application control, and web filtering, by creating a firewall policy with ivl-lan-ext0 as the destination interface.

  8. Create a firewall policy with ivl-lan-ext0 as the destination and lan as the source within the traffic VDOM to allow local traffic from the FortiGate Connector to access the internet through the FortiGate Controller (FortiSASE):

    config firewall policy edit 1 set name "traffic-VDOM-to-FortiSASE" set srcintf "lan" set dstintf "ivl-lan-ext0" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set nat enable next end

Support for LAN extension VDOM simplifications 7.4.2

Support for LAN extension VDOM simplifications 7.4.2

Note

This information is also available in the FortiOS 7.4 Administration Guide:

VDOM configuration for the FortiGate LAN extension has been simplified. When you configure the FortiGate LAN extension VDOM, FortiOS automatically configures a VDOM link between a traffic VDOM, which is by default the root VDOM, and the LAN extension VDOM.

After connecting to the FortiGate Controller, the following settings are automatically configured on the FortiGate Connector:

  • VDOM link interface in the LAN extension VDOM is a part of the LAN extension software switch.

  • VDOM link interface in the traffic VDOM is dynamically assigned an IP address obtained through the FortiGate Controller.

This feature supports the FortiGate secure edge for FortiSASE.

Example

This example demonstrates how to configure the FortiGate Connector to connect to FortiSASE as the FortiGate Controller.

To configure the FortiGate Connector using the CLI:
  1. Enable multi-VDOM mode from the CLI:

    config system global set vdom-mode multi-vdom end

  2. Verify that the FortiExtender setting is enabled in the global VDOM:

    # config global # show full system global | grep fortiextender -f … set fortiextender enable

  3. Create a new LAN extension VDOM with the LAN extension controller address as the FortiSASE domain name.

    See Connecting FortiGate to FortiSASE using GUI and CLI for details on how to find the FortiSASE domain name.

    In this example, the VDOM name is ext, and the FortiSASE domain name is turbo-a1p0hv3p.edge.prod.fortisase.com.

    config vdom edit ext config system settings set vdom-type lan-extension set lan-extension-controller-addr turbo-a1p0hv3p.edge.prod.fortisase.com set ike-port 4500 end next end

  4. Move interfaces from the root VDOM to the new LAN extension VDOM, and set the appropriate WAN and LAN roles.

    • Before moving an interface to a new VDOM, delete all references, such as firewall policies or firewall objects. See Finding object dependencies.
    • If interfaces are already part of a hardware switch, remove them from the hardware switch to make them available for the new VDOM. See Hardware switch.

    In this example from the global VDOM, the WAN1 and internal1 interfaces are moved to the LAN extension VDOM named ext, and their roles are set appropriately as wan and lan.

    config global config system interface edit WAN1 set vdom "ext" set role wan next edit internal1 set vdom "ext" set role lan next end end

  5. For the WAN interface within the LAN extension VDOM, edit the interface and ensure that Security Fabric connections are allowed:

    config vdom edit ext config system interface edit WAN1 set allowaccess ping fabric next end next end

    This configuration assumes that the WAN and LAN interfaces are already configured with static IP addresses or configured to use DHCP accordingly.

  6. (Optional) If your LAN extension VDOM is not configured as the management VDOM, and you require a custom DNS server to resolve the FortiGate Controller hostname, then you must configure the VDOM DNS settings within the VDOM:

    config vdom edit ext config system vdom-dns set vdom-dns enable set primary 1.2.3.4 set secondary 2.3.4.5 end next end

  7. After the LAN extension VDOM connects to FortiSASE, observe from the global VDOM under Network > Interfaces:

    • A VDOM link ivl-lan-ext is created.
    • The VDOM link interface in the LAN extension VDOM (ivl-lan-ext1) is part of the le-switch LAN extension software switch. Network connectivity to the FortiGate Controller (that is, to FortiSASE) is achieved through the software switch.
    • The VDOM link interface in the traffic (root) VDOM (ivl-lan-ext0) has obtained an IP address dynamically from the FortiGate Controller.

      The traffic VDOM can be used to:

      • Apply application steering to the local internet connection or to FortiGate Controller network (FortiSASE) using SD-WAN.
      • Apply local security features for traffic egressing the local internet connection, such as antivirus, intrusion prevention security (IPS), application control, and web filtering, by creating a firewall policy with ivl-lan-ext0 as the destination interface.

  8. Create a firewall policy with ivl-lan-ext0 as the destination and lan as the source within the traffic VDOM to allow local traffic from the FortiGate Connector to access the internet through the FortiGate Controller (FortiSASE):

    config firewall policy edit 1 set name "traffic-VDOM-to-FortiSASE" set srcintf "lan" set dstintf "ivl-lan-ext0" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set nat enable next end