Single firewall vs. vdoms

Single firewall vs. vdoms

When VDOMs are not enabled, and the FortiGate unit is in transparent mode, all the interfaces on your unit become broadcast interfaces. The problem is there are no interfaces free for additional network segments.

A FortiGate with three interfaces means only limited network segments are possible without purchasing more FortiGate devices.

With multiple VDOMs you can have one of them configured in transparent mode, and the rest in NAT mode. In this configuration, you have an available transparent mode FortiGate unit you can drop into your network for troubleshooting, and you also have the standard.

This example shows how to enable VDOMs on the FortiGate unit and the basic and create a VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM. First enable Virtual Domains on the FortiGate unit.

 

To enable VDOMs – web-based manager

1. Go to System > Dashboard > Status.

2. In the System Information widget, select Enable for Virtual Domain.

Note that on FortiGate-60 series and lower models, you need to enable VDOMs in the CLI only.

The FortiGate unit logs you out. Once you log back in, you will notice that the menu structure has changed. This reflects the global settings for all Virtual Domains.

 

To enable VDOMs – CLI

config system global

set vdom-admin enable end

 

Next, add the VDOM called accounting.

 

To add a VDOM – web-based manager

1. Go to Global > VDOM > VDOM, and select Create New.

2. Enter the VDOM name accounting.

3. Select OK.

 

To add a VDOM – CLI

config vdom

edit <new_vdom_name>

end

 

With the Virtual Domain created, you can assign a physical interface to it, and assign it an IP address.

 

To assign physical interface to the accounting Virtual Domain – web-based manager

1. Go to Global > Network > Interface.

2. Select the DMZ2 port row and select Edit.

3. For the Virtual Domain drop-down list, select accounting.

4. Select the Addressing Mode of Manual.

5. Enter the IP address for the port of 10.13.101.100/24.

6. Set the Administrative Access to HTTPS and SSH.

7. Select OK.

 

To assign physical interface to the accounting Virtual Domain – CLI

config global

config system interface edit dmz2

set vdom accounting

set ip 10.13.101.100/24 set allowaccess https ssh

next end

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.