System Configuration – Virtual Domains – FortiOS 6.2

Virtual Domains

Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network.

There are two VDOM modes:

  • Split-task VDOM mode: One VDOM is used only for management, and the other is used to manage traffic. See Split-task VDOM mode on page 181.
  • Multi VDOM mode: Multiple VDOMs can be created and managed as independent units. See Multi VDOM mode on page 185.

By default, most FortiGate units support 10 VDOMs, and many FortiGate models support purchasing a license key to increase the maximum number.

Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as interfaces, firmware, DNS, some logging and sandboxing options, and others. Global settings should only be changed by top level administrators.

Switching VDOM modes

Current VDOM mode New VDOM mode Rule
No VDOM Split-task VDOM Allowed
Split-task VDOM No VDOM Allowed
No VDOM Multi VDOM Allowed only if CSF is disabled
Multi VDOM No VDOM Allowed
Split-task VDOM Multi VDOM Allowed only if CSF is disabled
Multi VDOM Split-task VDOM Not Allowed. User must first switch to No

VDOM

Split-task VDOM mode

In split-task VDOM mode, the FortiGate has two VDOMs: the management VDOM (root) and the traffic VDOM (FGtraffic).

The management VDOM is used to manage the FortiGate, and cannot be used to process traffic.

The following GUI sections are available when in the management VDOM:

  • The Status dashboard l Security Fabric topology and settings (read-only, except for HTTP Service settings) l Interface and static route configuration l FortiClient configuration l Replacement messages l Advanced system settings
  • Certificates l System events l Log and email alert settings l Threat weight definitions

The traffic VDOM provides separate security policies, and is used to process all network traffic.

The following GUI sections are available when in the traffic VDOM:

  • The Status, Top Usage LAN/DMZ, and Security dashboards l Security Fabric topology, settings (read-only, except for HTTP Service settings), and Fabric Connectors

(SSO/Identity connectors only) l FortiView l Interface configuration l Packet capture

  • SD-WAN, SD-WAN Rules, and Performance SLA
  • Static and policy routes l RIP, OSPF, BGP, and Multicast l Replacement messages l Advanced system settings l Feature visibility
  • Tags
  • Certificates l Policies and objects l Security profiles
  • VPNs
  • User and device authentication l Wifi and switch controller
  • Logging l Monitoring

Split-task VDOM mode is not available on all FortiGate models. The Fortinet Security Fabric supports split-task VDOM mode.

Enable split-task VDOM mode

Split-task VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of the FortiGate.

When split-task VDOM mode is enabled, all current management configuration is assigned to the root VDOM, and all non-management settings, such as firewall policies and security profiles, are deleted.

To enable split-task VDOM mode in the GUI:

  1. On the FortiGate, go to System > Settings.
  2. In the System Operation Settings section, enable Virtual Domains.
  3. Select Split-Task VDOM for the VDOM mode.
  4. Select a Dedicated Management Interface from the Interface This interface is used to access the management VDOM, and cannot be used in firewall policies.
  5. Click OK.

To enable split-task VDOM mode with the CLI:

config system global set vdom-mode split-vdom

end

Assign interfaces to a VDOM

An interface can only be assigned to one of the VDOMs. When split-task VDOM mode is enabled, all interfaces are assigned to the root VDOM. To use an interface in a policy, it must first be assigned to the traffic VDOM.

An interface cannot be moved if it is referenced in an existing configuration.

To assign an interface to a VDOM in the GUI:

  1. On the FortiGate, go to Global > Network > Interfaces.
  2. Edit the interface that will be assigned to a VDOM.
  3. Select the VDOM that the interface will be assigned to from the Virtual Domain
  4. Click OK.

To assign an interface to a VDOM using the CLI:

config global config system interface edit <interface>

set vdom <VDOM_name>

next

end

end

Create per-VDOM administrators

Per-VDOM administrators can be created that can access only the management or traffic VDOM. These administrators must use either the prof_admin administrator profile, or a custom profile.

A per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM that they are assigned to. The interface must also be configured to allow management access. They can also connect to the FortiGate using the console port.

To assign an administrator to multiple VDOMs, they must be created at the global level. When creating an administrator at the VDOM level, the super_admin administrator profile cannot be used.

To create a per-VDOM administrator in the GUI:

  1. On the FortiGate, connect to the management VDOM.
  2. Go to Global > System > Administrators and click Create New > Administrator.
  3. Fill in the required information, setting the Type as Local User.
  4. In the Virtual Domains field, add the VDOM that the administrator will be assigned to, and if necessary, remove the other VDOM from the list.
  5. Click OK.

To create a per-VDOM administrator using the CLI:

config global config system admin edit <name> set vdom <VDOM_name> set password <password> set accprofile <admin_profile> …

next end

end

Multi VDOM mode

In multi VDOM mode, the FortiGate can have multiple VDOMs that function as independent units. One VDOM is used to manage global settings.

Multi VDOM mode isn’t available on all FortiGate models. The Fortinet Security Fabric does not support multi VDOM mode.

There are three main configuration types in multi VDOM mode:

Independent VDOMs:

Multiple, completely separate VDOMs are created. Any VDOM can be the management VDOM, as long as it has Internet access. There are no inter-VDOM links, and each VDOM is independently managed.

Management VDOM:

A management VDOM is located between the other VDOMs and the Internet, and the other VDOMs connect to the management VDOM with inter-VDOM links. The management VDOM has complete control over Internet access, including the types of traffic that are allowed in both directions. This can improve security, as there is only one point of ingress and egress.

There is no communication between the other VDOMs.

Meshed VDOMs:

VDOMs can communicate with inter-VDOM links. In full-mesh configurations, all the VDOMs are interconnected. In partial-mesh configurations, only some of the VDOMs are interconnected.

In this configuration, proper security must be achieved by using firewall policies and ensuring secure account access for administrators and users.

Multi VDOM configuration examples

The following examples show how to configure per-VDOM settings, such as operation mode, routing, and security policies, in a network that includes the following VDOMs:

l VDOM-A: allows the internal network to access the Internet. l VDOM-B: allows external connections to an FTP server. l root: the management VDOM.

You can use VDOMs in either NAT or transparent mode on the same FortiGate. By default, VDOMs operate in NAT mode.

For both examples, multi VDOM mode must be enabled, and VDOM-A and VDOM-B must be created.

Enable multi VDOM mode

Multi VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of the device. The current configuration is assigned to the root VDOM.

To enable multi VDOM mode in the GUI:

  1. On the FortiGate, go to System > Settings.
  2. In the System Operation Settings section, enable Virtual Domains.
  3. Select Multi VDOM for the VDOM mode.
  4. Click OK.

To enable multi VDOM mode with the CLI:

config system global set vdom-mode multi-vdom

end

Create the VDOMs

To create the VDOMs in the GUI:

  1. In the Global VDOM, go to System > VDOM, and click Create New. The New Virtual Domain page opens.
  2. In the Virtual Domain field, enter VDOM-A.
  3. If required, set the NGFW Mode. If the NGFW Mode is Policy-based, select an SSL/SSH Inspection from the list.
  4. Optionally, enter a comment.
  5. Click OK to create the VDOM.
  6. Repeat the above steps for VDOM-B.

To create the VDOMs with the CLI:

config vdom edit <VDOM-A> next

edit <VDOM-B> next

end

end

NAT mode

In this example, both VDOM-A and VDOM-B use NAT mode. A VDOM link is created that allows users on the internal network to access the FTP server.

This configuration requires the following steps:

  1. Configure VDOM-A on page 187
  2. Configure VDOM-B on page 189
  3. Configure the VDOM link on page 192

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network l A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:

  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:
Name internal-network
Type Subnet
Subnet / IP Range 192.168.10.0/255.255.255.0
Interface port1
Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom edit VDOM-A config firewall address edit internal-network set associated-interface port1 set subnet 192.168.10.0 255.255.255.0

next

end

next

end

To add a default route in the GUI:

  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.201.7
Interface wan1
Distance 10

To add a default route with the CLI:

config vdom edit VDOM-A config router static

edit 0

set gateway 172.20.201.7 set device wan1

next

end

next

end

To add the security policy in the GUI:

  1. Connect to VDOM-A.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name VDOM-A-Internet
Incoming Interface port1
Outgoing Interface wan1
Source Address internal-network
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT enabled

To add the security policy with the CLI:

config vdom edit VDOM-A config firewall policy edit 0 set name VDOM-A-Internet set srcintf port1 set dstintf wan1 set srcaddr internal-network

set dstaddr all set action accept set schedule always set service ALL set nat enable

next

end

next

end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server l A virtual IP address for the FTP server l A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:

  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:
Address Name FTP-server
Type Subnet
Subnet / IP Range 192.168.20.10/32
Interface port2
Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom edit VDOM-B config firewall address edit FTP-server set associated-interface port2 set subnet 192.168.20.10 255.255.255.255

next

end

next

end

To add the virtual IP address in the GUI:

  1. Go to Policy & Objects > Virtual IPs and create a new virtual IP address.
  2. Enter the following information:
Name FTP-server-VIP
Interface wan2
External IP Address/Range 172.25.177.42
Internal IP Address/Range 192.168.20.10

To add the virtual IP address with the CLI:

config firewall vip edit FTP-server-VIP set extip 172.25.177.42 set extintf wan2 set mappedip 192.168.20.10

next

end

To add a default route in the GUI:

  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.10.10
Interface wan2
Distance 10

To add a default route with the CLI:

config vdom

edit VDOM-B config router static edit 0

set device wan2 set gateway 172.20.10.10

next

end

next

end

To add the security policy in the GUI:

  1. Go to Policy & Objects > IPv4 Policy and create a new policy.
  2. Enter the following information:
Name Access-server
Incoming Interface wan2
Outgoing Interface port2
Source Address all
Destination Address FTP-server-VIP
Schedule always
Service FTP
Action ACCEPT
NAT enabled

To add the security policy with the CLI:

config vdom edit VDOM-B config firewall policy edit 0 set name Access-server set srcintf wan2 set dstintf port2 set srcaddr all set dstaddr FTP-server-VIP set action accept set schedule always set service FTP set nat enable

next

end

next

end

Configure the VDOM link

The VDOM link allows connections from VDOM-A to VDOM-B. This allows users on the internal network to access the FTP server through the FortiGate.

The configuration for the VDOM link includes the following:

  • The VDOM link interface
  • Firewall addresses for the FTP server on VDOM-A and for the internal network on VDOM-B l Static routes for the FTP server on VDOM-A and for the internal network on VDOM-B l Policies allowing traffic using the VDOM link

All procedures in this section require you to connect to the global VDOM using a global administrator account.

To add the VDOM link in the GUI:

  1. Connect to root.
  2. Go to Global > Network > Interfaces and select Create New > VDOM link.
  3. Enter the following information:
Name VDOM-link
Interface 0  
  Virtual Domain VDOM-A
IP/Netmask 0.0.0.0/0.0.0.0
Interface 1  
  Virtual Domain VDOM-B
IP/Netmask 0.0.0.0/0.0.0.0

To add the VDOM link with the CLI:

config global config system vdom-link edit vlink end

config system interface edit VDOM-link0

set vdom VDOM-A set ip 0.0.0.0 0.0.0.0

next edit VDOM-link1

set vdom VDOM-B set ip 0.0.0.0 0.0.0.0

next end

end

To add the firewall address on VDOM-A in the GUI:

  1. Connect to VDOM-A.
  2. Go to Policy & Objects > Addresses and create a new address.
  3. Enter the following information:
Address Name FTP-server
Type Subnet
Subnet / IP Range 192.168.20.10/32
Interface VDOM-link0
Show in Address List enabled
Static Route Configuration enabled

To add the firewall addresses on VDOM-A with the CLI:

config vdom

edit VDOM-B

config firewall address

edit FTP-server

set associated-interface VDOM-link0 set allow-routing enable set subnet 192.168.20.10 255.255.255.255

next

end

next

end

To add the static route on VDOM-A in the GUI:

  1. Connect to VDOM-A.
  2. Go to Network > Static Routes and create a new route.
  3. Enter the following information:
Destination Named Address
Named Address FTP-server
Gateway 0.0.0.0
Interface VDOM-link0

To add the static route on VDOM-A with the CLI:

config vdom

edit VDOM-A config router static

edit 0

set device VDOM-link0 set dstaddr FTP-server

next

end

next

end

To add the security policy on VDOM-A in the GUI:

  1. Connect to VDOM-A.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name Access-FTP-server
Incoming Interface port1
Outgoing Interface VDOM-link0
Source internal-network
Destination FTP-server
Schedule always
Service FTP
Action ACCEPT
NAT disabled

To add the security policy on VDOM-A with the CLI:

config vdom

edit VDOM-A config firewall policy

edit 0

set name Access-FTP-server set srcintf port1 set dstintf VDOM-link0 set srcaddr internal-network set dstaddr FTP-server set action accept set schedule always set service FTP

next end next

end

To add the firewall address on VDOM-B in the GUI:

  1. Connect to VDOM-B.
  2. Go to Policy & Objects > Addresses and create a new address.
  3. Enter the following information:
Address Name internal-network
Type Subnet
Subnet / IP Range 192.168.10.0/24
Interface VDOM-link1
Show in Address List enabled
Static Route Configuration enabled

To add the firewall addresses on VDOM-B with the CLI:

config vdom

edit VDOM-B

config firewall address

edit internal-network

set associated-interface VDOM-link1 set allow-routing enable set subnet 192.168.10.0 255.255.255.0

next

end

next

end

To add the static route on VDOM-B in the GUI:

  1. Connect to VDOM-B.
  2. Go to Network > Static Routes and create a new route.
  3. Enter the following information:
Destination Named Address
Named Address internal-network
Gateway 0.0.0.0
Interface VDOM-link1

To add the static route on VDOM-B with the CLI:

config vdom

edit VDOM-B config router static

edit 0

set device VDOM-link1

set dstaddr internal-network

next

end

next

end

To add the security policy on VDOM-B in the GUI:

  1. Connect to VDOM-B.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name Internal-server-access
Incoming Interface VDOM-link1
Outgoing Interface port2
Source internal-network
Destination FTP-server
Schedule always
Service FTP
Action ACCEPT
NAT disabled

To add the security policy on VDOM-B with the CLI:

config vdom

edit VDOM-B config firewall policy

edit 0

set name Internal-server-access set srcintf VDOM-link1 set dstintf port2 set srcaddr internal-network set dstaddr FTP-server set action accept set schedule always set service FTP

next

end

next

end

NAT and transparent mode

In this example, VDOM-A uses NAT mode and VDOM-B uses transparent mode.

This configuration requires the following steps:

  1. Configure VDOM-A on page 197
  2. Configure VDOM-B on page 199

Configure VDOM-A

VDOM-A allows connections from devices on the internal network to the Internet. WAN 1 and port 1 are assigned to this VDOM.

The per-VDOM configuration for VDOM-A includes the following:

  • A firewall address for the internal network l A static route to the ISP gateway
  • A security policy allowing the internal network to access the Internet

All procedures in this section require you to connect to VDOM-A, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:

  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:
Name internal-network
Type Subnet
Subnet / IP Range 192.168.10.0/24
Interface port1
Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom edit VDOM-A config firewall address edit internal-network set associated-interface port1 set subnet 192.168.10.0 255.255.255.0

next

end

next

end

To add a default route in the GUI:

  1. Go to Network > Static Routes and create a new route.
  2. Enter the following information:
Destination   Subnet
IP address   0.0.0.0/0.0.0.0
Gateway   172.20.201.7
Interface   wan1
Distance   10

To add a default route with the CLI:

config vdom

edit VDOM-A config router static

edit 0

set gateway 172.20.201.7 set device wan1

next

end

next

end

To add the security policy in the GUI:

  1. Connect to VDOM-A.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name VDOM-A-Internet
Incoming Interface port1
Outgoing Interface wan1
Source Address internal-network
Destination Address all
Schedule always
Service ALL
Action ACCEPT
NAT enabled

To add the security policy with the CLI:

config vdom

edit VDOM-A config firewall policy

edit 0

set name VDOM-A-Internet set srcintf port1 set dstintf wan1 set srcaddr internal-network set dstaddr all set action accept set schedule always set service ALL set nat enable

next

end

next end

Configure VDOM-B

VDOM-B allows external connections to reach an internal FTP server. WAN 2 and port 2 are assigned to this VDOM.

The per-VDOM configuration for VDOM-B includes the following:

  • A firewall address for the FTP server l A static route to the ISP gateway
  • A security policy allowing external traffic to reach the FTP server

All procedures in this section require you to connect to VDOM-B, either using a global or per-VDOM administrator account.

To add the firewall addresses in the GUI:

  1. Go to Policy & Objects > Addresses and create a new address.
  2. Enter the following information:
Address Name FTP-server
Type Subnet
Subnet / IP Range 172.25.177.42/32
Interface port2
Show in Address List enabled

To add the firewall addresses with the CLI:

config vdom edit VDOM-B config firewall address edit FTP-server set associated-interface port2 set subnet 172.25.177.42 255.255.255.255

next

end

next

end

To add a default route in the GUI:

  1. Go to Network > Routing Table and create a new route.
  2. Enter the following information:
Destination Subnet
IP address 0.0.0.0/0.0.0.0
Gateway 172.20.10.10

To add a default route with the CLI:

config vdom edit VDOM-B config router static

edit 0 set gateway 172.20.10.10

next

end next

end

To add the security policy in the GUI:

  1. Connect to VDOM-B.
  2. Go to Policy & Objects > IPv4 Policy and create a new policy.
  3. Enter the following information:
Name Access-server
Incoming Interface wan2
Outgoing Interface port2
Source Address all
Destination Address FTP-server
Schedule always
Service FTP
Action ACCEPT

To add the security policy with the CLI:

config vdom

edit VDOM-B config firewall policy

edit 0

set name Access-server set srcintf wan2 set dstintf port2 set srcaddr all set dstaddr FTP-server-VIP set action accept set schedule always set service FTP

next

end

next

end

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.