DO NOT REPRINT

© FORTINET
Lab 4: Transparent Mode

In this lab, you will create a transparent mode VDOM. You will also configure an inter-VDOM link, this time
between a transparent mode VDOM and a NAT mode VDOM.

Objectives
l Configure a transparent mode VDOM.
l Configure an inter-VDOM link.

Time to Complete
Estimated:  20 minutes

Lab Topology
The goal of this lab is to create the topology below. You will use VDOMs to logically split the Local-FortiGate into
two virtual firewalls: the root VDOM and the inspect VDOM. The root VDOM is in NAT mode. The inspect
VDOM is in transparent mode and will be inspecting the traffic for virus protection. So all Internet traffic coming
from Local-Windows must transverse first the root VDOM, and then the inspect VDOM.

Prerequisites
Before beginning this lab, you must restore a configuration file to Local-FortiGate.

FortiGate Infrastructure 6.0 Lab Guide 59

Fortinet Technologies Inc.
DO NOT REPRINT Lab 4: Transparent Mode

© FORTINET
To restore the FortiGate configuration file
1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. In the upper-right corner of the screen, click admin, and then click Configuration > Restore.

3. Ensure the Scope is set for Global, then click Local PC, and then click Upload.
4. Click Desktop > Resources > FortiGate-Infrastructure > Layer2 > local-layer-2.conf, and then click
Open.
5. Click OK.
6. Click OK to reboot.

60 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 1: Transparent Mode VDOM

The configuration file for this exercise already has VDOMs enabled. In this exercise, you need to create only a
transparent mode VDOM called inspect and then move the interface to the inspect VDOM.

Create a Transparent Mode VDOM

You will create a new VDOM, and then change its operation mode to transparent.

To create a transparent mode VDOM

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
The configuration that you restored at the beginning of this lab has VDOMs enabled. For this reason, you will
see a drop-down menu at the top of the menu. It provides access to the global settings and to each VDOM-
specific setting.

2. In the drop-down menu, select Global.

3. Click System > VDOM, and then click Create New.
4. Configure the following settings:

Field Value

Virtual Domain inspect

Inspection Mode Flow-Based

FortiGate Infrastructure 6.0 Lab Guide 61

Fortinet Technologies Inc.
DO Moving
NOT REPRINT
an Interface to a Different VDOM Exercise 1: Transparent Mode VDOM

© FORTINET

5. Click OK.
6. Continuing on the Local-Windows VM, open PuTTY and connect over SSH to the LOCAL-FORTIGATE saved
session.
7. At the login prompt, enter the user name admin and password password.
8. Enter the following command to change the inspect VDOM operation mode from the default NAT mode to
transparent mode:

config vdom
edit inspect
config system settings
set opmode transparent
set manageip 10.200.1.200/24
end
end

Stop and think!

What is that 10.200.1.200 IP address for?

It is the management IP address for the transparent mode VDOM. Interfaces that belong to a transparent
mode VDOM do not have IP addresses, but the VDOM itself has one. You can use this IP address for
administrative access to the device and this VDOM.

9. Close the PuTTY session.

Moving an Interface to a Different VDOM

You will move the interface port1 to the inspect VDOM.

62 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT1: Transparent
REPRINT Mode VDOM Moving an Interface to a Different VDOM

© FORTINET
Take the Expert Challenge!
On the Local-FortiGate GUI (10.0.1.254 | admin/password), move the port1 interface to the
inspect VDOM.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

To move an interface to a different VDOM

1. Return to the browser tab where you are logged into the Local-FortiGate GUI, select the Global VDOM and click
Network > Interfaces.
2. Edit port1.
3. In the Virtual Domain drop-down menu, select inspect.

4. Click OK.

FortiGate Infrastructure 6.0 Lab Guide 63

Fortinet Technologies Inc.
DO NOT REPRINT
© FORTINET
Exercise 2: Inter-VDOM Link

In this exercise, you will create an inter-VDOM link. Then, you will create the firewall policies that allow Internet
access across both VDOMs. Finally, you will configure and test antivirus inspection in the inspect VDOM.

Create an Inter-VDOM Link

Create the inter-VDOM link for routing traffic from the root VDOM to the Internet through the inspect VDOM.

To create an inter-VDOM link

1. On the Local-Windows VM, open a browser and log in to the Local-FortiGate GUI at 10.0.1.254 with the user
name admin and password password.
2. Select the Global VDOM and click Network > Interfaces.
3. Click Create New, and then select VDOM Link.
4. In the Name field, type vlink.
5. In the Interface 0 (vlink0) section, configure the following settings:

Field Value

Virtual Domain root

IP/Network Mask 10.200.1.1/24

Administrative Access HTTPS, PING, SSH

6. In the Interface 1 (vlink1) section, configure the following settings:

Field Value

Virtual Domain inspect

Administrative Access HTTPS, PING, SSH

7. Click OK.
The Interfaces page displays with the updated configurations.

8. Review the inter-VDOM link interfaces you just created (expand vlink).

64 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Inter-VDOM
REPRINT Link Create firewall policies

© FORTINET

Note that vlink0 and vlink1 are logical interfaces that you can use to route traffic between the root and
inspect VDOMs. An IP address is configurable only on the NAT mode VDOM interface.

Create firewall policies

You will create firewall policies to allow Internet traffic to pass through both VDOMs. You will also enable antivirus
inspection in the inspect VDOM.

Take the Expert Challenge!

On the Local-FortiGate GUI (10.0.1.254 | admin/password), complete the following:

l Create two firewall policies to allow Internet traffic to pass through both VDOMs. One policy will be from
vlink1 to port1 and the other will be from port3 to vlink0.
l In the inspect VDOM, enable the default antivirus inspection profile on firewall policy.
If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Route Inter-VDOM traffic on page 69.

To create a firewall policy on the inspect VDOM

1. Continuing on the Local-FortiGate GUI, from the VDOM drop-down menu, select inspect.

FortiGate Infrastructure 6.0 Lab Guide 65

Fortinet Technologies Inc.
DO Create
NOT REPRINT
firewall policies Exercise 2: Inter-VDOM Link

© FORTINET

2. Click Policy & Objects > IPv4 Policy.

3. Click Create New.
4. Configure the following settings.

Field Value

Name Inspected_Internet

Incoming Interface vlink1

Outgoing Interface port1

Source all

Destination all

Schedule always

Service ALL

Action ACCEPT

5. In the Security Profiles section, turn on the AntiVirus switch, and then, in the antivirus profile drop-down menu,
select g-default.

66 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Inter-VDOM
REPRINT Link Create firewall policies

© FORTINET

6. Click OK.

To create a firewall policy on the root VDOM

1. Continuing in the Local-FortiGate GUI, from the VDOM drop-down menu, select root.
2. Click Policy & Objects > IPv4 Policy, and then click Create New.
3. Configure the following settings.

Field Value

Name Internet

Incoming Interface port3

Outgoing Interface vlink0

FortiGate Infrastructure 6.0 Lab Guide 67

Fortinet Technologies Inc.
DO Create
NOT REPRINT
firewall policies Exercise 2: Inter-VDOM Link

© FORTINET
Field Value

Source all

Destination all

Schedule always

Service ALL

Action ACCEPT

4. In the Firewall/Network Options section, turn on the NAT switch.

5. In the Logging Options section, turn on the Log Allowed Traffic switch, and then select All Sessions.

6. Click OK.

68 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Inter-VDOM
REPRINT Link Route Inter-VDOM traffic

© FORTINET
Route Inter-VDOM traffic

To route traffic from Local-Windows to the inspect VDOM, you must create a default route in the root VDOM.

To route inter-VDOM traffic

1. Continuing on the Local-FortiGate GUI and in the root VDOM, click Network > Static Routes.
2. Click Create New.
3. Configure the following settings:

Field Value

Destination Subnet

0.0.0.0/0.0.0.0

Gateway 10.200.1.254

Interface vlink0

4. Click OK.

Test the Transparent Mode VDOM

You will use the traceroute command to confirm that Internet traffic is crossing the inter-VDOM link. Then, you
will try to download a virus to confirm that antivirus inspection in the inspect VDOM is working.

To test the transparent mode VDOM

1. Continuing on the Local-Windows VM, open a command prompt window.
2. Run the following traceroute to verify that your first two hops are 10.0.1.254 and 10.200.1.254.

tracert –d 10.200.3.1

Stop and think!

You will observe that the first hop IP address is 10.0.1.254, which is port3 in the root VDOM. The
second hop IP address is 10.200.1.254, which is the Linux server. Why isn't the traceroute showing any
IP address belonging to the inspect VDOM?

A transparent VDOM does not route packets like a NAT VDOM. Instead, it forwards frames based on the
destination MAC addresses as a LAN Layer 2 switch. A traceroute shows the IP addresses of all the routers
along a path to a destination. The inspect VDOM is not acting as a router, but as a Layer 2 switch.

3. Close the command prompt.

4. Open a new browser tab and go to:

http://www.eicar.org

FortiGate Infrastructure 6.0 Lab Guide 69

Fortinet Technologies Inc.
DO Test
NOT REPRINT
the Transparent Mode VDOM Exercise 2: Inter-VDOM Link

© FORTINET
4. Click Download ANTI MALWARE TESTFILE, and then click Download.

5. Select the option to download the eicar.com file using HTTP.

6. Confirm that the antivirus profile in the inspect VDOM blocks the following action.

70 FortiGate Infrastructure 6.0 Lab Guide

Fortinet Technologies Inc.
DO Exercise
NOT2: Inter-VDOM
REPRINT Link Test the Transparent Mode VDOM

© FORTINET
Review log files on root VDOM
1. Return to the browser tab where you are logged into the Local-FortiGate GUI and the root VDOM, and click Log
& Report > Forward Traffic.
2. Locate a log entry for the www.eicar.org website.
3. Click on one of the following entries to view more details.

Stop and think!

Why do the log entries indicate that the traffic was permitted?

Remember that the root VDOM is the unrestricted Internet side of the inter-VDOM link. In the next steps
you will review the logs for the inspect VDOM.

Review log files on the inspect VDOM

1. Continuing on the Local-FortiGate GUI, in the VDOM drop-down menu, select inspect.
2. Click Log & Report > Forward Traffic, and then locate a log entry for the www.eicar.org website.
3. Click the entry to view more details.
You should notice that the item was blocked by the antivirus policy.

FortiGate Infrastructure 6.0 Lab Guide 71

Fortinet Technologies Inc.