Configuring your VLAN interfaces and subnets
Before setting a VLAN to "route-through" on the vFSA as described in Managing VLANs with a gateway appliance, you must first configure the VLAN interfaces and subnet gateways on the FortiGate itself. This process is required for every VLAN that you want to route through the vFSA. Every VLAN has at least one subnet on the VLAN. For each subnet on the VLAN, you also need to configure the subnet gateway IP on the VLAN interface on the FortiGate.
Prerequisites
You will first need to validate that your VLAN is eligible to be protected by the vFSA. For a VLAN to be associated and set to "route-through" for a vFSA, it must be located in the same "Pod" as the vFSA. Each "Pod"
number corresponds to the numbered BCR or FCR. For example, pod 1 in the dal12 data center would be within dal12.bcr01 and dal12.fcr01. As such, if you wanted to order a server and protect it with a vFSA
provisioned in pod 2 of Dal13, when you select the VLAN for your virtual server, you would then select a VLAN prefixed with dal13.bcr02 for the private VLAN and dal13.fcr02 for the public VLAN.
Second, for each VLAN, you need to gather the VLAN number. For each subnet on each VLAN, you also need to gather their subnet gateway IP and subnet mask.
A list of subnets as well as the VLANs on your account can be found in the IBM Cloud console. Clicking your subnets in the console displays its extended information, including the subnet gateway IP and the subnet mask. In addition, the VLAN's fully qualified name includes information on which "Pod" the VLAN is in.
VLAN and subnet gateway configuration for an HA vFSA cluster
You can directly configure your public VLANs, private VLANs, and subnet gateway IPs on both the FortiGate Web GUI and the FortiOS CLI. The FortiOS CLI is available through both the web GUI and SSH. For more information, refer to this article.
Configuring your VLAN for HA clusters using the FortiOS CLI
For HA clusters on the vFSA, 4 aggregate interfaces are configured during provisioning:
Agg0is the outside private WAN interface.Agg1is the outside public WAN interface.Agg2is the inside private interface.Agg3is the inside public interface.
Ensure that you configure any private VLANs with agg2 as the parent interface. Also configure any public VLANs with agg3 defined as the parent interface.
The following example illustrates the CLI configuration of private VLAN 798, which has a subnet of 10.37.22.0/26. The subnet gateway for that subnet is 10.37.22.1, and the subnet mask is 255.255.255.192.
The following example labels the interface using the VLAN number, b for backend (private), and inside, defining it as an inside VLAN. The set allowaccess command allows for control plane protection
and stipulates which control/management plane level services that 10.37.22.1/32 can be used for on the FortiGate. In addition, only ping is set, as the subnet gateway IP is almost never used for management access to the FortiGate.
However, if you want to access the FortiGate using that IP, you can add services (such as SSH or HTTPS) for remote CLI and web GUI access respectively.
config system interface
edit "v798-b-inside"
set vdom "root"
set ip 10.37.22.1 255.255.255.192
set allowaccess ping
set role lan
set interface "agg2"
set vlanid 798
end
For any additional subnets on the VLAN, add the subnet gateway and mask as secondary IPs on the interface. For example, if there was another subnet (10.37.23.0/24) on VLAN 798, you could use the following commands:
config system interface
edit v798-b-inside
set secondary-IP enable
config secondaryip
edit 0
set ip 10.37.23.1 255.255.255.0
set allowaccess ping
end
The following example illustrates the configuration of a public VLAN (803) on subnet 67.228.192.0/28. The subnet gateway of that subnet is 67.228.192.1 and the subnet mask is 255.255.255.240. The following
example labels the interface using the VLAN number, f for front end (public), and inside, defining it as an inside VLAN.
config system interface
edit "v803-f-inside"
set vdom "root"
set ip 67.228.192.1 255.255.255.240
set allowaccess ping
set role lan
set interface "agg3"
set vlanid 803
end
For any additional subnets on the VLAN, add the subnet gateway and mask as secondary IPs on the interface. For example, if there was another subnet (67.228.225.128/26) on VLAN 803, you might use the following commands:
config system interface
edit v803-f-inside
set secondary-IP enable
config secondaryip
edit 0
set ip 67.228.225.129 255.255.255.192
set allowaccess ping
end
VLAN and subnet gateway configuration for a stand-alone vFSA
For the Standalone vFSA, the VLAN interface configurations and the subnet gateway configurations are identical to the HA configurations, with the exception that the parent interface for inside private VLANs is agg0 and the parent
interface for inside public VLANs is agg1. In the following examples, the same sample VLANs and subnets from the previous HA example configurations are used.
Configuring using FortiOS CLI for stand-alone vFSA
You can configure the stand-alone version in this way:
config system interface
edit "v798-b-inside"
set vdom "root"
set ip 10.37.22.1 255.255.255.192
set allowaccess ping
set role lan
set interface "agg0"
set vlanid 798
end
For additional subnet gateways on the same VLAN interface, it is the same as the HA configuration sample:
config system interface
edit v798-b-inside
set secondary-IP enable
config secondaryip
edit 0
set ip 10.37.23.1 255.255.255.0
set allowaccess ping
end
You can configure the stand-alone version in this way:
config system interface
edit "v803-f-inside"
set vdom "root"
set ip 67.228.192.1 255.255.255.240
set allowaccess ping
set role lan
set interface "agg1"
set vlanid 803
end
The stand-alone vFSA configuration matches the HA configuration for additional subnet gateways on the same VLAN:
config system interface
edit v803-f-inside
set secondary-IP enable
config secondaryip
edit 0
set ip 67.228.225.129 255.255.255.192
set allowaccess ping
end
Next steps
Next, you need to create firewall policies to allow traffic flows to these interfaces. Traffic is denied by default. For more information, refer to Working with firewalls.