Fortinet white logo
Fortinet white logo

Administration Guide

FortiGate secure edge to FortiSASE

FortiGate secure edge to FortiSASE

VDOM configuration for the FortiGate LAN extension has been simplified. When you configure the FortiGate LAN extension VDOM, FortiOS automatically configures a VDOM link between a traffic VDOM, which is by default the root VDOM, and the LAN extension VDOM.

After connecting to the FortiGate Controller, the following settings are automatically configured on the FortiGate Connector:

  • VDOM link interface in the LAN extension VDOM is a part of the LAN extension software switch.

  • VDOM link interface in the traffic VDOM is dynamically assigned an IP address obtained through the FortiGate Controller.

The traffic VDOM can be used to:

  • Apply application steering to the local internet connection or to FortiGate Controller network (FortiSASE) using SD-WAN.

  • Apply local security features for traffic egressing the local internet connection, such as antivirus, intrusion prevention security (IPS), application control, and web filtering, by creating a firewall policy with the destination interface configured as either the FortiGate WAN interface or an SD-WAN zone with the FortiGate WAN interface as a member.

Example

This example demonstrates how to configure the FortiGate Connector to connect to FortiSASE as the FortiGate Controller. In FortiSASE, the FortiGate Connector is more commonly known as the FortiGate secure edge.

To configure the FortiGate Connector using the CLI:
  1. Enable multi-VDOM mode from the CLI:

    config system global
        set vdom-mode multi-vdom
    end
  2. Verify that the FortiExtender setting is enabled in the global VDOM:

    # config global
    # show full system global | grep fortiextender -f
    …
        set fortiextender enable
  3. Create a new LAN extension VDOM with the LAN extension controller address as the FortiSASE domain name.

    See Connecting FortiGate to FortiSASE using GUI and CLI for details on how to find the FortiSASE domain name.

    In this example, the VDOM name is ext, and the FortiSASE domain name is turbo-a1p0hv3p.edge.prod.fortisase.com.

    config vdom
        edit ext
            config system settings
                set vdom-type lan-extension
                set lan-extension-controller-addr turbo-a1p0hv3p.edge.prod.fortisase.com
                set ike-port 4500
            end
        next
    end
  4. Move interfaces from the root VDOM to the new LAN extension VDOM, and set the appropriate WAN and LAN roles.

    • Before moving an interface to a new VDOM, delete all references, such as firewall policies or firewall objects. See Finding object dependencies.

    • If interfaces are already part of a hardware switch, remove them from the hardware switch to make them available for the new VDOM. See Hardware switch.

    In this example from the global VDOM, the wan1 and internal1 interfaces are moved to the LAN extension VDOM named ext, and their roles are set appropriately as WAN and LAN.

    1. From the GUI, go to the Global VDOM.

    2. Go to Network > Interfaces and edit the wan1 interface:

      1. Set the Role to WAN.

      2. Set the Virtual domain to ext.

      3. Click OK.

    3. Go to Network > Interfaces and edit the internal1 interface:

      1. Set the Role to LAN.

      2. Set the Virtual domain to ext.

      3. Click OK.

  5. For the WAN interface within the LAN extension VDOM, edit the interface and ensure that Security Fabric connections are allowed:

    1. From the GUI, go to the Global VDOM.

    2. Go to Network > Interfaces and edit the WAN1 interface.

    3. Under Administrative Access, ensure PING and Security Fabric Connection are selected.

    4. Click OK.

    This configuration assumes that the WAN and LAN interfaces are already configured with static IP addresses or configured to use DHCP accordingly.

  6. (Optional) If your LAN extension VDOM is not configured as the management VDOM, and you require a custom DNS server to resolve the FortiGate Controller hostname, then you must configure the VDOM DNS settings within the VDOM:

    config vdom
        edit ext
            config system vdom-dns
                set vdom-dns enable
                set primary 1.2.3.4
                set secondary 2.3.4.5
            end
        next
    end
  7. In FortiSASE, authorize the FortiGate as a LAN extension in the Edge Devices > FortiGates page. See Authorizing a FortiGate.

  8. In the LAN extension VDOM, in Network > LAN Extension observe that the Connection Summary shows values for the Access Controller Name, Access Controller IP, and Connected status. These all indicate the LAN extension VDOM established a successful connection with FortiSASE.

  9. After the LAN extension VDOM connects to FortiSASE, observe from the Global VDOM under Network > Interfaces:

    • A VDOM link ivl-lan-ext is created.

    • The VDOM link interface in the LAN extension VDOM (ivl-lan-ext1) is part of the le-switch LAN extension software switch. Network connectivity to the FortiGate Controller (that is, to FortiSASE) is achieved through the software switch.

    • The VDOM link interface in the traffic (root) VDOM (ivl-lan-ext0) has obtained an IP address dynamically from the FortiGate Controller.

  10. Within the root VDOM, create a firewall policy with ivl-lan-ext0 as the destination and lan as the source within the traffic VDOM to allow local traffic in the IP address range for DHCP clients in the LAN subnet (LAN-DHCP-RANGE) from the FortiGate Connector to access the internet through the FortiGate Controller (FortiSASE).

    1. From the GUI, go to the root VDOM.

    2. Go to Policy & Objects > Firewall Policy.

    3. Click Create New.

    4. Create a new policy with the following settings:

      Name traffic-VDOM-to-FortiSASE
      Incoming Interface lan
      Outgoing Interface ivl-lan-ext0
      Source LAN-DHCP-RANGE
      Destination all
      Schedule always
      Service ALL
      Action ACCEPT

      NAT

      Enabled

    5. Click OK.

  11. Within the root VDOM, create a firewall policy with wan2 (second ISP link on FortiGate with proper routing already set up) as the destination and lan as the source within the traffic VDOM to allow local traffic in the IP address range for static IP clients in the LAN subnet (LAN-STATIC-RANGE) from the FortiGate Connector to access the internet through the FortiGate Controller (FortiSASE). Security Profiles and SSL certificate inspection are also enabled on this policy.

    1. From the GUI, go to the root VDOM.

    2. Go to Policy & Objects > Firewall Policy.

    3. Click Create New.

    4. Create a new policy with the following settings:

      Name traffic-VDOM-to-wan2
      Incoming Interface lan
      Outgoing Interface wan2
      Source LAN-STATIC-RANGE
      Destination all
      Schedule always
      Service ALL
      Action ACCEPT

      NAT

      Enabled

      AntiVirus

      g-default

      Web filter

      g-default

      DNS filter

      default

      Application control

      g-default

      SSL inspection

      certificate-inspection

    5. Click OK.

FortiGate secure edge to FortiSASE

FortiGate secure edge to FortiSASE

VDOM configuration for the FortiGate LAN extension has been simplified. When you configure the FortiGate LAN extension VDOM, FortiOS automatically configures a VDOM link between a traffic VDOM, which is by default the root VDOM, and the LAN extension VDOM.

After connecting to the FortiGate Controller, the following settings are automatically configured on the FortiGate Connector:

  • VDOM link interface in the LAN extension VDOM is a part of the LAN extension software switch.

  • VDOM link interface in the traffic VDOM is dynamically assigned an IP address obtained through the FortiGate Controller.

The traffic VDOM can be used to:

  • Apply application steering to the local internet connection or to FortiGate Controller network (FortiSASE) using SD-WAN.

  • Apply local security features for traffic egressing the local internet connection, such as antivirus, intrusion prevention security (IPS), application control, and web filtering, by creating a firewall policy with the destination interface configured as either the FortiGate WAN interface or an SD-WAN zone with the FortiGate WAN interface as a member.

Example

This example demonstrates how to configure the FortiGate Connector to connect to FortiSASE as the FortiGate Controller. In FortiSASE, the FortiGate Connector is more commonly known as the FortiGate secure edge.

To configure the FortiGate Connector using the CLI:
  1. Enable multi-VDOM mode from the CLI:

    config system global
        set vdom-mode multi-vdom
    end
  2. Verify that the FortiExtender setting is enabled in the global VDOM:

    # config global
    # show full system global | grep fortiextender -f
    …
        set fortiextender enable
  3. Create a new LAN extension VDOM with the LAN extension controller address as the FortiSASE domain name.

    See Connecting FortiGate to FortiSASE using GUI and CLI for details on how to find the FortiSASE domain name.

    In this example, the VDOM name is ext, and the FortiSASE domain name is turbo-a1p0hv3p.edge.prod.fortisase.com.

    config vdom
        edit ext
            config system settings
                set vdom-type lan-extension
                set lan-extension-controller-addr turbo-a1p0hv3p.edge.prod.fortisase.com
                set ike-port 4500
            end
        next
    end
  4. Move interfaces from the root VDOM to the new LAN extension VDOM, and set the appropriate WAN and LAN roles.

    • Before moving an interface to a new VDOM, delete all references, such as firewall policies or firewall objects. See Finding object dependencies.

    • If interfaces are already part of a hardware switch, remove them from the hardware switch to make them available for the new VDOM. See Hardware switch.

    In this example from the global VDOM, the wan1 and internal1 interfaces are moved to the LAN extension VDOM named ext, and their roles are set appropriately as WAN and LAN.

    1. From the GUI, go to the Global VDOM.

    2. Go to Network > Interfaces and edit the wan1 interface:

      1. Set the Role to WAN.

      2. Set the Virtual domain to ext.

      3. Click OK.

    3. Go to Network > Interfaces and edit the internal1 interface:

      1. Set the Role to LAN.

      2. Set the Virtual domain to ext.

      3. Click OK.

  5. For the WAN interface within the LAN extension VDOM, edit the interface and ensure that Security Fabric connections are allowed:

    1. From the GUI, go to the Global VDOM.

    2. Go to Network > Interfaces and edit the WAN1 interface.

    3. Under Administrative Access, ensure PING and Security Fabric Connection are selected.

    4. Click OK.

    This configuration assumes that the WAN and LAN interfaces are already configured with static IP addresses or configured to use DHCP accordingly.

  6. (Optional) If your LAN extension VDOM is not configured as the management VDOM, and you require a custom DNS server to resolve the FortiGate Controller hostname, then you must configure the VDOM DNS settings within the VDOM:

    config vdom
        edit ext
            config system vdom-dns
                set vdom-dns enable
                set primary 1.2.3.4
                set secondary 2.3.4.5
            end
        next
    end
  7. In FortiSASE, authorize the FortiGate as a LAN extension in the Edge Devices > FortiGates page. See Authorizing a FortiGate.

  8. In the LAN extension VDOM, in Network > LAN Extension observe that the Connection Summary shows values for the Access Controller Name, Access Controller IP, and Connected status. These all indicate the LAN extension VDOM established a successful connection with FortiSASE.

  9. After the LAN extension VDOM connects to FortiSASE, observe from the Global VDOM under Network > Interfaces:

    • A VDOM link ivl-lan-ext is created.

    • The VDOM link interface in the LAN extension VDOM (ivl-lan-ext1) is part of the le-switch LAN extension software switch. Network connectivity to the FortiGate Controller (that is, to FortiSASE) is achieved through the software switch.

    • The VDOM link interface in the traffic (root) VDOM (ivl-lan-ext0) has obtained an IP address dynamically from the FortiGate Controller.

  10. Within the root VDOM, create a firewall policy with ivl-lan-ext0 as the destination and lan as the source within the traffic VDOM to allow local traffic in the IP address range for DHCP clients in the LAN subnet (LAN-DHCP-RANGE) from the FortiGate Connector to access the internet through the FortiGate Controller (FortiSASE).

    1. From the GUI, go to the root VDOM.

    2. Go to Policy & Objects > Firewall Policy.

    3. Click Create New.

    4. Create a new policy with the following settings:

      Name traffic-VDOM-to-FortiSASE
      Incoming Interface lan
      Outgoing Interface ivl-lan-ext0
      Source LAN-DHCP-RANGE
      Destination all
      Schedule always
      Service ALL
      Action ACCEPT

      NAT

      Enabled

    5. Click OK.

  11. Within the root VDOM, create a firewall policy with wan2 (second ISP link on FortiGate with proper routing already set up) as the destination and lan as the source within the traffic VDOM to allow local traffic in the IP address range for static IP clients in the LAN subnet (LAN-STATIC-RANGE) from the FortiGate Connector to access the internet through the FortiGate Controller (FortiSASE). Security Profiles and SSL certificate inspection are also enabled on this policy.

    1. From the GUI, go to the root VDOM.

    2. Go to Policy & Objects > Firewall Policy.

    3. Click Create New.

    4. Create a new policy with the following settings:

      Name traffic-VDOM-to-wan2
      Incoming Interface lan
      Outgoing Interface wan2
      Source LAN-STATIC-RANGE
      Destination all
      Schedule always
      Service ALL
      Action ACCEPT

      NAT

      Enabled

      AntiVirus

      g-default

      Web filter

      g-default

      DNS filter

      default

      Application control

      g-default

      SSL inspection

      certificate-inspection

    5. Click OK.