Virtual Domains(VDOMs) are used to divide a single physical FortiGate firewall
into two or more virtual instances which function as independent
firewalls.Creating VDOMs does not cause the firewall to reboot, but it will
log you out of the device.
There are two VDOM modes.
1.split-task VDOM mode
2.Multi VDOM mode
split-task VDOM mode
Only 2 VDOMs can be created in this mode, one for management (root VDOM) and
the other one is for processing firewall traffic (FG traffic VDOM). This mode
is not available on all FortiGate models.
How to enable split-task VDOM mode
This can be enabled using the web GUI and CLI.
1. Go to system > Settings then enable Virtual Domain from
system operation settings.
2. select split-task VDOM
3. select a management interface from the interface list to access the
management VDOM and this interface cannot be used in firewall policies.
4. click OK.
How to enable split-task mode using CLI:
FG-FW-01# config system global
FG-FW-01# set vdom-mode split-vdom
FG-FW-01# end
Multi VDOM mode
Multiple VDOMs can be created and manged as independent units. Multi VDOM mode
works well for managed service providers leveraging multi tenant
configurations or large enterprise environments.
FortiGate has 2 types of multi-VDOMs.
1. Admin VDOM
2.Traffic VDOM
Admin VDOM:
Used for only management purpose.
Does not pass any traffic.
Traffic VDOM:
Processes all the network traffic passing through the FortiGate.
can have separate security policies for different units.
There are 3 main configuration types in multi-VDOM mode:
Management VDOM
Independent VDOM
Meshed VDOM
Management VDOM:
By default the management VDOM is root. Any VDOM can be a root VDOM in
multi-VDOM mode as long as it has internet access because services like web
filtering uses public FortiGate servers.
Independent VDOM:
Multiple VDOMs are completely separated and there's no communication between
the VDOMs. Each VDOM has its dedicated physical link connecting
Internet.
Meshed VDOM:
VDOMs are interconnected through inter-VDOM links. In full-mesh configuration,
all the VDOMs are interconnected. In partial-mesh configuration, only some of
the VDOMs are interconnected.
How to enable multi VDOM mode
This can be enabled using the web GUI and CLI.
How to enable split-task mode using GUI:
1. Go to system > Settings then enable Virtual Domain from
system operation settings.
2. select multi VDOM
3.Click OK.
How to enable split-task mode using CLI:
FG-FW-01# config system global
FG-FW-01# set vdom-mode multi-vdom
FG-FW-01# end
How to create the VDOMs
Using GUI:
From Global VDOM go to system > VDOM and click create new. The below
page will pop up.
Provide a name for the VDOM and select the appropriate NGFW mode and
click OK.
Using CLI:
FG-FW-01 # config vdom
FG-FW-01 (vdom) # edit Test-VDOM
Note:
To prevent accidently creating VDOMs in the CLI, configure the
below in the global configuration. You can also enable this feature before creating the VDOMs. since VDOMs are created in this example, i have to switch to global config mode.
FG-FW-01 # config global
FG-FW-01 (global) # config system global
FG-FW-01 (global) # set edit-vdom-prompt enable
FG-FW-01 (global) # end
This will prompt for confirmation before the VDOM is created.
FG-FW-01 # config vdom
FG-FW-01 (vdom) # edit Test-VDOM
The input VDOM name doesn't exist.
Do you want to create a new VDOM?
Please press 'y' to continue, or press 'n' to cancel.
(y/n)y
How to assign an interface to a VDOM using web GUI.
From Global VDOM go to Network > Interfaces and double click
on the interface you wish to assign for the VDOM.
From the Virtual domains drop down list, select the desired VDOM
and click OK to save the changes.
To configure using CLI:
FG-FW-01 # config global
FG-FW-01 (global) # config system interface
FG-FW-01 (interface) # edit port2
FG-FW-01 (port2) # set vdom Test-VDOM
FG-FW-01 (port2) # end
FG-FW-01 (global) # end
FG-FW-01 #
Reference:
.png)
0 Comments