Using a VDOM in Transparent mode

Using a VDOM in Transparent mode

The essential steps to configure a VDOM in Transparent mode are:

  • Switching to Transparent mode
  • Adding VLAN subinterfaces
  • Creating security policies

You can also configure the security profiles that manage antivirus scanning, web filtering and spam filtering. In Transparent mode, you can access the web-based manager by connecting to an interface configured for administrative access and using HTTPS to access the management IP address. In the following examples, administrative access is enabled by default on the internal interface and the default management IP address is 10.11.0.1.

 

Switching to Transparent mode

A VDOM is in NAT/Route mode by default when it is created. You must switch it to Transparent mode, and add a management IP address so you can access the VDOM from your management computer.

Before applying the change to Transparent mode, ensure the VDOM has admin- istrative access on the selected interface, and that the selected management IP address is reachable on your network.

 

To switch the VDOM to Transparent mode – web-based manager:

1. Go to Global > System > VDOM.

2. Edit the VDOM you wish to use in Transparent mode.

3. Select Operation mode to Transparent.

4. Enter the management IP/Netmask. The IP address must be accessible to the subnet where the management computer is located. For example 10.11.0.99/255.255.255.0 will be able to access the 10.11.0.0 subnet.

5. Select Apply.

When you select Apply, the FortiGate unit will log you out. When you log back in, the VDOM will be in Transparent mode.

 

To switch the VDOM to Transparent mode – CLI:

config vdom edit <name>

config system settings set opmode transparent

set mangeip 10.11.0.99 255.255.255.0 end

end

 

Adding VLAN subinterfaces

There are a few differences when adding VLANs in Transparent mode compared to NAT/Route mode.

In Transparent mode, VLAN traffic is trunked across the VDOM. That means VLAN traffic cannot be routed, changed, or inspected. For this reason when you assign a VLAN to a Transparent mode VDOM, you will see the Addressing Mode section of the interface configuration disappear in from the web-based manager. It is because with no routing, inspection, or any activities able to be performed on VLAN traffic the VDOM simply re- broadcasts the VLAN traffic. This requires no addressing.

Also any routing related features such as dynamic routing or Virtual Router Redundancy Protocol (VRRP) are not available in Transparent mode for any interfaces.

 

Creating security policies

Security policies permit communication between the FortiGate unit’s network interfaces based on source and destination IP addresses. Typically you will also limit communication to desired times and services for additional security.

In Transparent mode, the FortiGate unit performs antivirus and antispam scanning on each packet as it passes through the unit. You need security policies to permit packets to pass from the VLAN interface where they enter the unit to the VLAN interface where they exit the unit. If there are no security policies configured, no packets will be allowed to pass from one interface to another.

For more information, see the Firewall handbook.

Operation mode differences in VDOMs

Operation mode differences in VDOMs

A VDOM, such as root, can have a maximum of 255 interfaces in Network Address Translation (NAT) mode or Transparent mode. This includes VLANs, other virtual interfaces, and physical interfaces. To have more than a total of 255 interfaces configured, you need multiple VDOMs with multiple interfaces on each.

In Transparent mode without VDOMs enabled, all interfaces on the FortiGate unit act as a bridge — all traffic coming in on one interface is sent back out on all the other interfaces. This effectively turns the FortiGate unit into a two interface unit no matter how many physical interfaces it has. When VDOMs are enabled, this allows you to determine how many interfaces to assign to a VDOM running in Transparent mode. If there are reasons for assigning more than two interfaces based on your network topology, you are able to. However, the benefit of VDOMs in this case is that you have the functionality of Transparent mode, but you can use interfaces for NAT/Route traffic as well.

You can add more VDOMs to separate groups of VLAN subinterfaces. When using a FortiGate unit to serve multiple organizations, this configuration simplifies administration because you see only the security policies and settings for the VDOM you are configuring.

One essential application of VDOMs is to prevent problems caused when a FortiGate unit is connected to a layer-2 switch that has a global MAC table. FortiGate units normally forward ARP requests to all interfaces, including VLAN subinterfaces. It is then possible for the switch to receive duplicate ARP packets on different VLANs. Some layer-2 switches reset when this happens. As ARP requests are only forwarded to interfaces in the same VDOM, you can solve this problem by creating a VDOM for each VLAN.

For more information about Transparent mode, see the Transparent Mode & Internal Segmentation Firewall (ISFW) handbook.\

Virtual Domains in Transparent mode

Virtual Domains in Transparent mode

A VDOM in Transparent mode is installed between the internal network and the router. In this mode, the VDOM does not make any changes to IP addresses and only applies security scanning to traffic. When a VDOM is added to a network in Transparent mode, no network changes are required, except to provide the VDOM with a management IP address.

Each VDOM on a FortiGate can be configured for NAT/Route mode or Transparent mode, regardless of the operation mode of other VDOMs on the FortiGate. For more information about NAT/Route mode, see “Virtual Domains in NAT/Route mode” on page 2602.

 

This chapter includes the following sections:

  • Transparent Mode Overview
  • Using a VDOM in Transparent mode
  • Virtual Domains in Transparent mode

 

Transparent Mode Overview

In transparent mode, a VDOM becomes a layer-2 IP forwarding bridge. This means that Ethernet frames are forwarded based on destination MAC address, and no other routing is performed. All incoming traffic that is accepted by the firewall, is broadcast out on all interfaces.

In transparent mode the VDOM is a forwarding bridge, not a switch. A switch can develop a port table and associated MAC addresses, so that it can bridge two ports to deliver the traffic instead of broadcasting to all ports. In transparent mode, the VDOM does not following this switch behavior, but instead is the forwarding bridge that broadcasts all packets out over all interfaces, subject to security policies.

 

Differences between NAT/Route and Transparent mode

The differences between NAT/Route mode and Transparent mode include:

 

Differences between NAT/Route and Transparent modes

Features NAT/Route mode Transparent mode
 

Specific Management IP address required

 

No

 

Yes

 

Perform Network Address Translation

(NAT)

 

Yes

 

Yes

 

Stateful packet inspection

 

Yes

 

Yes

 

Layer-2 forwarding

 

Yes

 

Yes

 

Layer-3 routing

 

Yes

 

No

 

Features NAT/Route mode Transparent mode
 

Unicast Routing / Policy Based routing

 

Yes

 

No

 

DHCP server

 

Yes

 

No

 

IPsec VPN

 

Yes

 

Yes

 

PPTP/L2TP VPN

 

Yes

 

No

 

SSL VPN

 

Yes

 

No

 

Security features

 

Yes

 

Yes

 

VLAN support

 

Yes

 

Yes – limited to VLAN trunks.

 

Ping servers (dead gateway detection)

 

Yes

 

No

To provide administrative access to a FortiGate unit or VDOM in Transparent mode, you must define a management IP address and a gateway. This step is not required in NAT/Route mode where you can access the FortiGate unit through the assigned IP address of any interface where administrative access is permitted.

If you incorrectly set the Transparent mode management IP address for your FortiGate unit, you will be unable to access your unit through the web-based manager. In this situation, you will need to connect to the FortiGate unit using the console cable and change the settings so you can access the unit. Alternately, if your unit has an LCD panel, you can change the operation mode and interface information through the LCD panel.

Virtual Domains in NAT/Route mode

Virtual Domains in NAT/Route mode

By default, a Virtual Domain (VDOM) uses NAT/Route mode. In this mode, the VDOM is installed as a gateway or router between two networks. In most cases, it is used between a private network and the Internet. This allows the VDOM to hide the IP addresses of the private network using network address translation (NAT).

Each VDOM on a FortiGate can be configured for NAT/Route mode or Transparent mode, regardless of the operation mode of other VDOMs on the FortiGate. For more information about Transparent mode, see “Virtual Domains in Transparent mode” on page 2621.

 

This chapter contains the following sections:

  • Using a VDOM in NAT/Route mode
  • Example configuration: VDOM in NAT/Route mode

 

Using a VDOM in NAT/Route mode

Once you have enabled virtual domains and created one or more VDOMs, you need to configure them. Configuring VDOMs on your FortiGate unit includes tasks such as the ones listed here; while you may not require all for your network topology, it is recommended that you perform them in the order given:

  • Changing the management virtual domain
  • Configuring interfaces in a NAT/Route VDOM
  • Configuring VDOM routing
  • Configuring security policies for NAT/Route VDOMs
  • Configuring security profiles for NAT/Route VDOMs

 

Changing the management virtual domain

The management virtual domain is the virtual domain where all the management traffic for the FortiGate unit originates. This management traffic needs access to remote servers, such as FortiGuard services and NTP, to perform its duties. It needs access to the Internet to send and receive this traffic.

 

Management traffic includes, but is not limited to

  • DNS lookups
  • logging to FortiAnalyzer or syslog
  • FortiGuard service
  • sending alert emails
  • Network time protocol traffic (NTP)
  • Sending SNMP traps
  • Quarantining suspicious files and email.

By default the management VDOM is the root domain. When other VDOMs are configured on your FortiGate unit, management traffic can be moved to one of these other VDOMs.

Reasons to move the management VDOM include selecting a non-root VDOM to be your administration VDOM, or the root VDOM not having an interface with a connection to the Internet.

You cannot change the management VDOM if any administrators are using RADIUS authentication.

The following procedure will change the management VDOM from the default root to a VDOM named mgmt_ vdom. It is assumed that mgmt_vdom has already been created and has an interface that can access the Internet.

 

To change the management VDOM – web-based manager:

1. Select Global > System > VDOM.

2. Select the checkbox next to the required VDOM.

3. Select Switch Management.

The current management VDOM is shown in square brackets, “[root]” for example.

 

To change the management VDOM – CLI:

config global

config system global

set management-vdom mgmt_vdom end

Management traffic will now originate from mgmt_vdom.

 

Configuring interfaces in a NAT/Route VDOM

A VDOM must contain at least two interfaces to be useful. These can be physical interfaces or VLAN interfaces. By default, all physical interfaces are in the root VDOM. When you create a new VLAN, it is in the root VDOM by default.

When there are VDOMs on the FortiGate unit in both NAT and Transparent operation modes, some interface fields will be displayed as “-” on Network > Interfaces. Only someone with a super_admin account can view all the VDOMs.

When moving an interface to a different VDOM, firewall IP pools and virtual IPs for this interface are deleted. You should manually delete any routes that refer to this inter- face. Once the interface has been moved to the new VDOM, you can add these ser- vices to the interface again.

When configuring VDOMs on FortiGate units with accelerated interfaces you must assign both interfaces in the pair to the same VDOM for those interfaces to retain their acceleration. Otherwise they will become normal interfaces.

 

This section includes the following topics:

  • Adding a VLAN to a NAT/Route VDOM
  • Moving an interface to a VDOM
  • Deleting an interface
  • Adding a zone to a VDOM

 

Adding a VLAN to a NAT/Route VDOM

The following example shows one way that multiple companies can maintain their security when they are using one FortiGate unit with VLANs that share interfaces on the unit.

This procedure will add a VLAN interface called client1-v100 with a VLAN ID of 100 to an existing VDOM called client1 using the physical interface called port2.

The physical interface does not need to belong to the VDOM that the VLAN belongs to.

 

To add a VLAN subinterface to a VDOM – web-based manager:

  1. 1. Go to Global > Network > Interfaces.
  2. 2. Select Create New.
  3. 3. Enter the following information and select OK:

Name                                           client1-v100

Interface                                     port2

VLAN ID                                      100

Virtual Domain                          Client1

Addressing mode                     Manual

IP/Netmask                                 172.20.120.110/255.255.255.0

Administrative Access             HTTPS, SSH

You will see an expand arrow added to the port2 interface. When the arrow is expanded, the interface shows the client1-v100 VLAN subinterface.

 

To add a VLAN subinterface to a VDOM – CLI:

config global

config system interface edit client1-v100

set type vlan set vlanid 100 set vdom Client1

set interface port2

set ip 172.20.120.110 255.255.255.0 set allowaccess https ssh

end

 

Moving an interface to a VDOM

Interfaces belong to the root VDOM by default. Moving an interface is the same procedure no matter if its moving from the root VDOM or a any other VDOM.

If you have an accelerated pair of physical interfaces both interfaces must be in the same VDOM or you will lose their acceleration.

The following procedure will move the port3 interface to the Client2 VDOM. This is a common action when configuring a VDOM. It is assumed that the Client2 VDOM has already been created. It is also assumed that your FortiGate unit has a port3 interface. If you are using a different model, your physical interfaces may not be named port2, external or port3.

 

To move an existing interface to a different VDOM – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Edit for the port3 interface.

3. Select Client2 as the new Virtual Domain.

4. Select OK.

 

To move an existing interface to a different VDOM – CLI:

config global

config system interface edit port3

set vdom Client2 end

 

Deleting an interface

Before you can delete a virtual interface, or move an interface from one VDOM to another, all references to that interface must be removed. For a list of objects that can refer to an interface see Virtual Domains Overview.

The easiest way to be sure an interface can be deleted is when the Delete icon is no longer greyed out. If it remains greyed out when an interface is selected, that interface still has objects referring to it, or it is a physical interface that cannot be deleted.

 

To delete a virtual interface – web-based manager:

1. Ensure all objects referring to this interface have been removed.

2. Select Global > Network > Interfaces.

3. Select the interface to delete.

4. Select the delete icon.

 

Adding a zone to a VDOM

Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can configure policies for connections to and from a zone, but not between interfaces in a zone.

Zones are VDOM-specific. A zone cannot be moved to a different VDOM. Any interfaces in a zone cannot be used in another zone. To move a zone to a new VDOM requires deleting the current zone and re-creating a zone in the new VDOM.

The following procedure will create a zone called accounting in the client2 VDOM. It will not allow intra- zone traffic, and both port3 and port2 interfaces belong to this zone. This is a method of grouping and isolating traffic over particular interfaces—it is useful for added security and control within a larger network.

 

To add a zone to a VDOM – web-based manager:

1. In Virtual Domains, select the client2 VDOM.

2. Go to Network > Interfaces.

3. Select Create New > Zone.

4. Enter the following information and select OK:

Zone Name                                 accounting

Block intra-zone traffic             Select

Interface Members                    port3, port2

To add a zone to a VDOM – CLI:

config vdom

edit client2

config system zone edit accounting

set interface port3 port2 set intrazone deny

end

end

 

Configuring VDOM routing

Routing is VDOM-specific. Each VDOM should have a default static route configured as a minimum. Within a VDOM, routing is the same as routing on your FortiGate unit without VDOMs enabled.

When configuring dynamic routing on a VDOM, other VDOMs on the FortiGate unit can be neighbors. The following topics give a brief introduction to the routing protocols, and show specific examples of how to configure dynamic routing for VDOMs. Figures are included to show the FortiGate unit configuration after the successful completion of the routing example.

 

Default static route for a VDOM

The routing you define applies only to network traffic entering non-ssl interfaces belonging to this VDOM. Set the administrative distance high enough, typically 20, so that automatically configured routes will be preferred to the default.

In the following procedure, it is assumed that a VDOM called “Client2” exists. The procedure will create a default static route for this VDOM. The route has a destination IP of 0.0.0.0, on the port3 interface. It has a gateway of 10.10.10.1, and an administrative distance of 20.

The values used in this procedure are very standard, and this procedure should be part of configuring all VDOMs.

 

To add a default static route for a VDOM – web-based manager:

1. In Virtual Domains, select the client2 VDOM.

2. Go to Network > Static Routes.

3. Select Create New.

4. Enter the following information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         port2

Gateway                                     10.10.10.1

Distance                                     20

 

To add a default static route for a VDOM – CLI:

config vdom

edit client2

config router static edit 4

set device port2

set dst 0.0.0.0 0.0.0.0 set gateway 10.10.10.1 set distance 20

end

end

 

Dynamic Routing in VDOMs

Dynamic routing is VDOM-specific, like all other routing. Dynamic routing configuration is the same with VDOMs as with your FortiGate unit without VDOMs enabled, once you are at the routing menu. If you have multiple VDOMs configured, the dynamic routing configuration between them can become quite complex.

VDOMs provide some interesting changes to dynamic routing. Each VDOM can be a neighbor to the other VDOMs. This is useful in simulating a dynamic routing area or AS or network using only your FortiGate unit.

You can separate different types of routing to different VDOMs if required. This allows for easier troubleshooting. This is very useful if your FortiGate unit is on the border of a number of different routing domains.

For more information on dynamic routing in FortiOS, see the Advanced Routing handbook.

Inter-VDOM links must have IP addresses assigned to them if they are part of a dynamic routing configuration. Inter-VDOM links may or may not have IP addresses assigned to them. Without IP addresses, you need to be careful how you configure routing. While the default static route can be assigned an address of 0.0.0.0 and rely instead on the interface, dynamic routing almost always requires an IP address.

 

RIP

The RIP dynamic routing protocol uses hop count to determine the best route, with a hop count of 1 being directly attached to the interface and a hop count of 16 being unreachable. For example if two VDOMs on the same FortiGate unit are RIP neighbors, they have a hop count of 1.

 

OSPF

OSPF communicates the status of its network links to adjacent neighbor routers instead of the complete routing table. When compared to RIP, OSPF is more suitable for large networks, it is not limited by hop count, and is more complex to configure. For smaller OSPF configurations its easiest to just use the backbone area, instead of multiple areas.

 

BGP

BGP is an Internet gateway protocol (IGP) used to connect autonomous systems (ASes) and is used by Internet service providers (ISPs). BGP stores the full path, or path vector, to a destination and its attributes which aid in proper routing.

 

Configuring security policies for NAT/Route VDOMs

Security policies are VDOM-specific. This means that all firewall settings for a VDOM, such as firewall addresses and security policies, are configured within the VDOM.

In VDOMs, all firewall related objects are configured per-VDOM including addresses, service groups, security profiles, schedules, traffic shaping, and so on. If you want firewall addresses, you will have to create them on each VDOM separately. If you have many addresses, and VDOMs this can be tedious and time consuming. Consider using a FortiManager unit to manage your VDOM configuration — it can get firewall objects from a configured VDOM or FortiGate unit, and push those objects to many other VDOMs or FortiGate units. See the FortiManager Administration Guide.

You can customize the Policy display by including some or all columns, and cus- tomize the column order onscreen. Due to this feature, security policy screenshots may not appear the same as on your screen.

 

Configuring a security policy for a VDOM

Your security policies can involve only the interfaces, zones, and firewall addresses that are part of the current VDOM, and they are only visible when you are viewing the current VDOM. The security policies of this VDOM filter the network traffic on the interfaces and VLAN subinterfaces in this VDOM.

A firewall service group can be configured to group multiple services into one service group. When a descriptive name is used, service groups make it easier for an administrator to quickly determine what services are allowed by a security policy.

In the following procedure, it is assumed that a VDOM called Client2 exists. The procedure will configure an outgoing security policy. The security policy will allow all HTTPS, SSH, and DNS traffic for the SalesLocal address group on VLAN_200 going to all addresses on port3. This traffic will be scanned and logged.

 

To configure a security policy for a VDOM – web-based manager:

1. In Virtual Domains, select the client2 VDOM.

2. Go to Policy & Objects > IPv4 Policy.

3. Select Create New.

4. Enter the following information and select OK:

Name                                        Client2-outgoing

Incoming Interface                   VLAN_200

Outgoing Interface                   port3

Source Address                        SalesLocal

Destination Address                 any

Schedule                                    always

Service                                       HTTPS, SSH, DNS

Action                                         ACCEPT

Log Allowed Traffic                  enable

 

To configure a security policy for a VDOM – CLI:

config vdom

edit Client2

config firewall policy edit 12

set srcintf VLAN_200 set srcaddr SalesLocal set dstintf port3(dmz) set dstaddr any

set schedule always set service HTTPS SSH set action accept

set status enable

set logtraffic enable end

end

 

Configuring security profiles for NAT/Route VDOMs

In NAT/Route VDOMs, security profiles are exactly like regular FortiGate unit operation with one exception. In VDOMs, there are no default security profiles.

If you want security profiles in VDOMs, you must create them yourself. If you have many security profiles to create in each VDOM, you should consider using a FortiManager unit. It can get existing profiles from a VDOM or FortiGate unit, and push those profiles down to multiple other VDOMs or FortiGate units. See the FortiManager Administration Guide.

When VDOMs are enabled, you only need one FortiGuard license for the physical unit, and download FortiGuard updates once for the physical unit. This can result in a large time and money savings over multiple physical units if you have many VDOMs.

 

Configuring VPNs for a VDOM

Virtual Private Networking (VPN) settings are VDOM-specific, and must be configured within each VDOM. Configurations for IPsec Tunnel, IPsec Interface, PPTP and SSL are VDOM-specific. However, certificates are shared by all VDOMs and are added and configured globally to the FortiGate unit.

 

Example configuration: VDOM in NAT/Route mode

Company A and Company B each have their own internal networks and their own ISPs. They share a FortiGate unit that is configured with two separate VDOMs, with each VDOM running in NAT/Route mode enabling separate configuration of network protection profiles. Each ISP is connected to a different interface on the FortiGate unit.

 

This network example was chosen to illustrate one of the most typical VDOM configurations. This example has the following sections:

  • Network topology and assumptions
  • General configuration steps
  • Creating the VDOMs
  • Configuring the FortiGate interfaces
  • Configuring the vdomA VDOM
  • Configuring the vdomB VDOM
  • Testing the configuration

Network topology and assumptions

Both companies have their own ISPs and their own internal interface, external interface, and VDOM on the FortiGate unit.

For easier configuration, the following IP addressing is used:

  • all IP addresses on the FortiGate unit end in “.2” such as 10.11.101.2.
  • all IP addresses for ISPs end in “.7”, such as 172.20.201.7.
  • all internal networks are 10.*.*.* networks, and sample internal addresses end in “.55”.

The IP address matrix for this example is as follows.

Address Company A Company B
 

ISP

 

172.20.201.7

 

192.168.201.7

 

Internal network

 

10.11.101.0

 

10.012.101.0

 

FortiGate / VDOM

 

172.20.201.2 (port1)

 

10.11.101.2 (port4)

 

192.168.201.2 (port3)

 

10.012.101.2 (port2)

The Company A internal network is on the 10.11.101.0/255.255.255.0 subnet. The Company B internal network is on the 10.12.101.0/255.255.255.0 subnet.

There are no switches or routers required for this configuration. There are no VLANs in this network topology.

The interfaces used in this example are port1 through port4. Different FortiGate models may have different interface labels. port1 and port3 are used as external interfaces. port2 and port4 are internal interfaces.

The administrator is a super_admin account. If you are a using a non-super_admin account, refer to “Global and per-VDOM settings” to see which parts a non-super_admin account can also configure.

When configuring security policies in the CLI always choose a policy number that is higher than any existing policy numbers, select services before profile-status, and profile-status before profile. If these commands are not entered in that order, they may not be available to enter.

 

General configuration steps

For best results in this configuration, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Creating the VDOMs

2. Configuring the FortiGate interfaces

3. Configuring the vdomA VDOM, and Configuring the vdomB VDOM

4. Testing the configuration

 

Creating the VDOMs

In this example, two new VDOMs are created — vdomA for Company A and vdomB for Company B. These VDOMs will keep the traffic for these two companies separate while enabling each company to access its own ISP.

 

To create two VDOMs – web-based manager:

1. Log in with a super_admin account.

2. Go to Global > System > VDOM, and select Create New.

3. Enter vdomA and select OK.

4. Select OK again to return to the VDOM list.

5. Select Create New.

6. Enter vdomB and select OK.

 

To create two VDOMs – CLI:

config vdom edit vdomA next

edit vdomB

end

 

Configuring the FortiGate interfaces

This section configures the interfaces that connect to the companies’ internal networks, and to the companies’ ISPs.

All interfaces on the FortiGate unit will be configured with an IP address ending in “.2” such as 10.11.101.2. This will simplify network administration both for the companies, and for the FortiGate unit global administrator. Also the internal addresses for each company differ in the second octet of their IP address – Company A is 10.11.*, and Company B is 10.12.*.

This section includes the following topics:

  • Configuring the vdomA interfaces
  • Configuring the vdomB interfaces

If you cannot change the VDOM of an network interface it is because something is referring to that interface that needs to be deleted. Once all the references are deleted the interface will be available to switch to a different VDOM. For example a common reference to the external interface is the default static route entry. See Example con- figuration: VDOM in NAT/Route mode.

 

Configuring the vdomA interfaces

The vdomA VDOM includes two FortiGate unit interfaces: port1 and external.

The port4 interface connects the Company A internal network to the FortiGate unit, and shares the internal network subnet of 10.11.101.0/255.255.255.0.

The external interface connects the FortiGate unit to ISP A and the Internet. It shares the ISP A subnet of 172.20.201.0/255.255.255.0.

 

 

To configure the vdomA interfaces – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Edit on the port1 interface.

3. Enter the following information and select OK:

Virtual Domain                          vdomA

Addressing mode                     Manual

IP/Netmask                                 172.20.201.2/255.255.255.0

4. Select Edit on the port4 interface.

5. Enter the following information and select OK:

Virtual Domain                          vdomA

Addressing mode                     Manual

IP/Netmask                                 10.11.101.2/255.255.255.0

 

To configure the vdomA interfaces – CLI:

config global

config system interface edit port1

set vdom vdomA

set mode static

set ip 172.20.201.2 255.255.255.0 next

edit port4

set vdom ABCDomain set mode static

set ip 10.11.101.2 255.255.255.0 end

 

Configuring the vdomB interfaces

The vdomB VDOM uses two FortiGate unit interfaces: port2 and port3.

The port2 interface connects the Company B internal network to the FortiGate unit, and shares the internal network subnet of 10.12.101.0/255.255.255.0.

The port3 interface connects the FortiGate unit to ISP B and the Internet. It shares the ISP B subnet of 192.168.201.0/255.255.255.0.

 

To configure the vdomB interfaces – web-based manager:

1. Go to Global > Network > Interfaces.

2. Select Edit on the port3 interface.

3. Enter the following information and select OK:

Virtual domain                           vdomB

Addressing mode                     Manual

IP/Netmask                                 192.168.201.2/255.255.255.0

4. Select Edit on the port2 interface.

5. Enter the following information and select OK:

Virtual domain                           vdomB

Addressing mode                     Manual

IP/Netmask                                 10.12.101.2/255.255.255.0

 

To configure the vdomB interfaces – CLI:

config global

config system interface edit port3

set vdom vdomB

set mode static

set ip 192.168.201.2 255.255.255.0 next

edit port2

set vdom vdomB

set mode static

set ip 10.12.101.2 255.255.255.0

end

 

Configuring the vdomA VDOM

With the VDOMs created and the ISPs connected, the next step is to configure the vdomA VDOM. Configuring the vdomA includes the following:

  • Adding vdomA firewall addresses
  • Adding the vdomA security policy
  • Adding the vdomA default route

 

Adding vdomA firewall addresses

You need to define the addresses used by Company A’s internal network for use in security policies. This internal network is the 10.11.101.0/255.255.255.0 subnet.

The FortiGate unit provides one default address, “all”, that you can use when a security policy applies to all addresses as the source or destination of a packet.

 

To add the vdomA firewall addresses – web-based manager:

1. In Virtual Domains, select vdomA.

2. Go to Policy & Objects > Addresses.

3. Select Create New.

4. Enter the following information and select OK:

Address Name                           Ainternal

Type                                            Subnet / IP Range

Subnet / IP Range                     10.11.101.0/255.255.255.0

Interface                                     port4

 

To add the ABCDomain VDOM firewall addresses – CLI:

config vdom edit vdomA

config firewall address edit Ainternal

set type ipmask

set subnet 10.11.101.0 255.255.255.0

end end

 

Adding the vdomA security policy

You need to add the vdomA security policy to allow traffic from the internal network to reach the external network, and from the external network to internal as well. You need two policies for this domain.

 

To add the vdomA security policy – web-based manager:

1. In Virtual Domains, select vdomA.

2. Go to Policy & Objects > IPv4 Policy.

3. Select Create New.

4. Enter the following information and select OK:

Name                                           VDOMA-internal-to-external

Incoming Interface                   port4

Outgoing Interface                   port1

Source Address                        Ainternal

Destination Address                 all

Schedule                                    Always

Service                                       ANY

Action                                         ACCEPT

5. Select Create New.

6. Enter the following information and select OK:

Name                                        VDOMA-external-to-internal

Incoming Interface                   port1

Outgoing Interface                   port4

Source Address                        all

Destination Address                 Ainternal

Schedule                                    Always

Service                                       ANY

Action                                         ACCEPT

 

To add the vdomA security policy – CLI:

config vdom edit vdomA

config firewall policy edit 1

set srcintf port4

set srcaddr Ainternal set dstintf port1

set dstaddr all

set schedule always set service ANY

set action accept set status enable

next edit 2

set srcintf port1 set srcaddr all set dstintf port4

set dstaddr Ainternal set schedule always set service ANY

set action accept set status enable

end

 

Adding the vdomA default route

You also need to define a default route to direct packets from the Company A internal network to ISP A. Every VDOM needs a default static route, as a minimum, to handle traffic addressed to external networks such as the Internet.

The administrative distance should be set slightly higher than other routes. Lower admin distances will get checked first, and this default route will only be used as a last resort.

 

To add a default route to the vdomA – web-based manager:

1. For Virtual Domains, select vdomA

2. Go to Network > Static Routes.

3. Select Create New.

4. Enter the following information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         port1

Gateway                                     172.20.201.7

Distance                                     20

 

To add a default route to the vdomA – CLI:

config vdom edit vdomA

config router static edit 1

set device port1

set gateway 172.20.201.7 end

 

Configuring the vdomB VDOM

In this example, the vdomB VDOM is used for Company B. Firewall and routing settings are specific to a single VDOM.

vdomB includes the FortiGate port2 interface to connect to the Company B internal network, and the FortiGate port3 interface to connect to ISP B. Security policies are needed to allow traffic from port2 to external and from external to port2 interfaces.

This section includes the following topics:

  • Adding the vdomB firewall address
  • Adding the vdomB security policy
  • Adding a default route to the vdomB VDOM

 

Adding the vdomB firewall address

You need to define addresses for use in security policies. In this example, the vdomB VDOM needs an address for the port2 interface and the “all” address.

 

To add the vdomB firewall address – web-based manager:

1. In Virtual Domains, select vdomB.

2. Go to Policy & Objects > Addresses.

3. Select Create New.

4. Enter the following information and select OK:

Address Name                           Binternal

Type                                            Subnet / IP Range

Subnet / IP Range                     10.12.101.0/255.255.255.0

Interface                                     port2

 

To add the vdomB firewall address – CLI:

config vdom edit vdomB

config firewall address edit Binternal

set type ipmask

set subnet 10.12.101.0 255.255.255.0 end

end

 

Adding the vdomB security policy

You also need a security policy for the Company B domain. In this example, the security policy allows all traffic.

 

To add the vdomB security policy – web-based manager:

1. Log in with a super_admin account.

2. In Virtual Domains, select vdomB.

3. Go to Policy & Objects > IPv4 Policy

4. Select Create New.

5. Enter the following information and select OK:

 

Name                                           VDOMB-internal-to-external

Incoming Interface                   port2

Outgoing Interface                   port3

Source Address                        Binternal

Destination Address                 all

Schedule                                    Always

Service                                       ANY

Action                                         ACCEPT

6. Select Create New.

7. Enter the following information and select OK:

Name                                           VDOMB-external-to-internal

Incoming Interface                   port3

Outgoing Interface                   port2

Source Address                        all

Destination Address                 Binternal

Schedule                                    Always

Service                                       ANY

Action                                         ACCEPT

 

To add the vdomB security policy – CLI:

config vdom edit vdomB

config firewall policy edit 1

set srcintf port2

end

set dstintf port3

set srcaddr Binternal set dstaddr all

set schedule always set service ANY

set action accept set status enable

edit 1

set srcintf port3 set dstintf port2 set srcaddr all

set dstaddr Binternal set schedule always set service ANY

set action accept set status enable

end

 

Adding a default route to the vdomB VDOM

You need to define a default route to direct packets to ISP B.

 

To add a default route to the vdomB VDOM – web-based manager:

1. Log in as the super_admin administrator.

2. In Virtual Domains, select vdomB.

3. Go to Network > Static Routes.

4. Select Create New.

5. Enter the following information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         port3

Gateway                                     192.168.201.7

Distance                                     20

 

To add a default route to the vdomB VDOM – CLI:

config vdom edit vdomB

config router static edit 1

set dst 0.0.0.0/0 set device external

set gateway 192.168.201.7 end

end

 

Testing the configuration

Once you have completed configuration for both company VDOMs, you can use diagnostic commands, such as tracert in Windows, to test traffic routed through the FortiGate unit. Alternately, you can use the traceroute command on a Linux system with similar output.

 

Possible errors during the traceroute test are:

  • “* * * Request timed out” – the trace was not able to make the next connection towards the destination fast enough
  • “Destination host unreachable” – after a number of timed-out responses the trace will give up

Possible reasons for these errors are bad connections or configuration errors. For additional troubleshooting, see Troubleshooting Virtual Domains.

Testing traffic from the internal network to the ISP

In this example, a route is traced from the Company A internal network to ISP A. The test was run on a Windows PC with an IP address of 10.11.101.55.

The output here indicates three hops between the source and destination, the IP address of each hop, and that the trace was successful.

From the Company A internal network, access a command prompt and enter this command:

C:\>tracert 172.20.201.7

Tracing route to 172.20.201.7 over a maximum of 30 hops:

1  <10 ms  <10 ms  <10 ms 10.11.101.2

2  <10 ms  <10 ms  <10 ms 172.20.201.2

3  <10 ms  <10 ms  <10 ms 172.20.201.7

Trace complete.

Configuring Virtual Domains

Configuring Virtual Domains

Only a super_admin administrator account such as the default “admin” account can create, disable, or delete VDOMs. That account can create additional administrators for each VDOM. This section includes:

  • Creating a Virtual Domain
  • Disabling a Virtual Domain
  • Deleting a VDOM
  • Administrators in Virtual Domains

Creating a Virtual Domain

Once you have enabled Virtual Domains on your FortiGate unit, you can create additional Virtual Domains beyond the default root Virtual Domain.

By default new Virtual Domains are set to NAT/Route operation mode. If you want a Virtual Domain to be in Transparent operation mode, you must manually change it.

You can name new Virtual Domains as you like with the following restrictions:

  • only letters, numbers, “-”, and “_” are allowed
  • no more than 11 characters are allowed
  • no spaces are allowed
  • VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.

When creating large numbers of VDOMs you should not enable advanced features such as proxies, web filtering, and antivirus due to limited FortiGate unit resources. Also when creating large numbers of VDOMs, you may experience reduced per- formance for the same reason.

 

To create a VDOM – web-based manager:

1. Log in with a super_admin account.

2. Select Global > System > VDOM.

3. Select Create New.

4. Enter a unique name for your new VDOM.

5. Enter a short and descriptive comment to identify this VDOM.

6. Select OK.

Repeat Steps 3 through 6 to add additional VDOMs.

 

To create a VDOM – CLI:

config vdom

edit <new_vdom_name>

end

 

If you want to edit an existing Virtual Domain in the CLI, and mistype the name a new Virtual Domain will be created with this new misspelled name. If you notice expected configuration changes are not visible, this may be the reason. You should periodically check your VDOM list to ensure there are none of these misspelled VDOMs present.

 

Disabling a Virtual Domain

The status of a VDOM can be Enabled or Disabled.

Active status VDOMs can be configured. Active is the default status when a VDOM is created. The management VDOM must be an Active VDOM.

Disabled status VDOMs are considered “offline”. The configuration remains, but you cannot use the VDOM, and only the super_admin administrator can view it. You cannot delete a disabled VDOM without first enabling it, and removing references to it like usual—there is no Delete icon for disabled status VDOMs. You can assign interfaces to a disabled VDOM.

The following procedures show how to disable a VDOM called “test-vdom”.

 

To disable a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Open the VDOM for editing.

3. Ensure Enable is not selected and then select OK.

The VDOM’s Enable icon in the VDOM list is a grey X.

 

To disable a VDOM – CLI:

config vdom

edit test-vdom

config system settings set status disable

end

end

 

To enable a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Open the VDOM for editing.

3. Ensure Enable is selected and then select OK.

The VDOM’s Enable icon in the VDOM list is a green checkmark.

 

To enable a VDOM – CLI:

config vdom

edit test-vdom

config system settings set status enable

end

end

 

Deleting a VDOM

Deleting a VDOM removes it from the FortiGate unit configuration.

Before you can delete a VDOM, all references to it must be removed, including any per-VDOM objects. If there are any references to the VDOM remaining, you will see an error message and not be able to delete the VDOM.

A disabled VDOM cannot be deleted. You can also not delete the root VDOM or the management VDOM.

Before deleting a VDOM, a good practice is to reset any interface referencing that VDOM to its default configuration, with “root” selected as the Virtual Domain.

The following procedures show how to delete the test-vdom VDOM.

 

To delete a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Select the check box for the VDOM and then select the Delete icon.

If the Delete icon is not active, there are still references to the VDOM that must first be removed. The Delete icon is available when all the references to this VDOM are removed.

3. Confirm the deletion.

 

To delete a VDOM – CLI:

config vdom

delete test-vdom end

 

Removing references to a VDOM

When you are going to delete a VDOM, all references to that VDOM must first be removed. It can be difficult to find all the references to the VDOM. This section provides a list of common objects that must be removed before a VDOM can be deleted, and a CLI command to help list the dependencies.

Interfaces are an important part of VDOMs. If you can move all the interfaces out of a VDOM, generally you will be able to delete that VDOM.

 

Common objects that refer to VDOMs

When you are getting ready to delete a VDOM check for, and remove the following objects that refer to that VDOM or its components:

  • Routing – both static and dynamic routes
  • Firewall addresses, policies, groups, or other settings
  • Security Features/Profiles
  • VPN configuration
  • Users or user groups
  • Logging
  • DHCP servers
  • Network interfaces, zones, custom DNS servers
  • VDOM Administrators

 

Administrators in Virtual Domains

When Virtual Domains are enabled, permissions change for administrators. Administrators are now divided into per-VDOM administrators, and super_admin administrators. Only super_admin administrator accounts can create other administrator accounts and assign them to a VDOM.

 

Administrator VDOM permissions

Different types of administrator accounts have different permissions within VDOMs. For example, if you are using a super_admin profile account, you can perform all tasks. However, if you are using a regular admin account, the tasks available to you depend on whether you have read only or read/write permissions. The following table shows what tasks can be performed by which administrators.

 

Administrator VDOM permissions

Tasks

Regular administrator account

Super_admin profile admin-

 

Read only per-

mission

Read/write per-

mission

istrator account

View global settings                 yes                             yes                             yes

Configure global settings       no                               no                               yes

Create or delete VDOMs           no                               no                               yes

Configure multiple VDOMs     no                               no                               yes

Assign interfaces to a VDOM

Revision Control Backup and Restore

no                               no                               yes

no                               no                               yes

Create VLANs                            no                               yes – for 1 VDOM        yes – for all VDOMs

Assign an administrator to a VDOM

no                               no                               yes
Create additional admin accounts

Create and edit protection profiles

no                               yes – for 1 VDOM        yes – for all VDOMs

no                               yes – for 1 VDOM        yes – for all VDOMs

The only difference in admin accounts when VDOMs are enabled is selecting which VDOM the admin account belongs to. Otherwise, by default the administration accounts are the same as when VDOMs are disabled and closely resemble the super_admin account in their privileges.

 

Creating administrators for Virtual Domains

Using the admin administrator account, you can create additional administrator accounts and assign them to VDOMs.

The newly-created administrator can access the FortiGate unit only through network interfaces that belong to their assigned VDOM or through the console interface. The network interface must be configured to allow management access, such as HTTPS and SSH. Without these in place, the new administrator will not be able to access the FortiGate unit and will have to contact the super_admin administrator for access.

The following procedure creates a new Local administrator account called admin_sales with a password of fortinet in the sales VDOM using the admin_prof default profile.

 

To create an administrator for a VDOM – web-based manager:

1. Log in with a super_admin account.

2. Go to System > Administrators.

3. Select Create New.

4. Select Regular for Type, as you are creating a Local administrator account.

5. Enter the necessary information about the administrator: email, password, etc.

6. If this admin will be accessing the VDOM from a particular IP address or subnet, enable Restrict this Admin

Login from Trusted Hosts Only and enter the IP in Trusted Host #1.

7. Select prof_admin for the Admin Profile.

8. Select sales from the list of Virtual Domains.

9. Select OK.

 

To create administrators for VDOMs – CLI:

config global

config system admin

edit <new_admin_name>

set vdom <vdom_for_this_account>

set password <pwd>

set accprofile <an_admin_profile>

… end

 

Virtual Domain administrator dashboard display

When administrators logs into their virtual domain, they see a different dashboard than the global administrator will see. The VDOM dashboard displays information only relevant to that VDOM — no global or other VDOM information is displayed.

 

VDOM dashboard information

 

Information perVDOM Global
 

System Information

 

read-only

 

yes

 

License Information

 

no

 

yes

 

CLI console

 

yes

 

yes

 

Unit Operation

 

read-only

 

yes

 

Alert Message Console

 

no

 

yes

 

Top Sessions

 

limited to VDOM sessions

 

yes

 

Traffic

 

limited to VDOM interfaces

 

yes

 

Statistics

 

yes

 

yes

Enabling and accessing Virtual Domains

Enabling and accessing Virtual Domains

While Virtual Domains are essentially the same as your regular FortiGate unit for menu configuration, CLI command structure, and general task flow, there are some small differences.

After first enabling VDOMs on your FortiGate unit, you should take the time to familiarize yourself with the interface. This section will help walk you through virtual domains.

 

This section includes:

  • Enabling Virtual Domains
  • Viewing the VDOM list
  • Global and per-VDOM settings
  • Resource settings
  • Virtual Domain Licensing
  • Logging in to VDOMs

Enabling Virtual Domains

Using the default admin administration account, you can enable or disable VDOM operation on the FortiGate unit.

 

To enable VDOM configuration – web-based manager:

1. Log in with a super_admin account.

2. Go to the Dashboard.

3. In the System Information widget, locate Virtual Domain. Select Enable and confirm your selection. The FortiGate unit logs off all sessions. You can now log in again as admin.

 

To enable VDOM configuration – CLI:

config system global

set vdom-admin enable end

 

Changes to the web-based manager and CLI

When Virtual Domains are enabled, your FortiGate unit will change. The changes will be visible in both the web- based manager and CLI, just the web-based manager, or just the CLI.

When enabling VDOMs, the web-based manager and the CLI are changed as follows:

  • Global and per-VDOM configurations are separated. This is indicated in the Online Help by Global and VDOM icons.
  • Only admin accounts using the super_admin profiles can view or configure global options
  • Admin accounts using the super_admin profile can configure all VDOM configurations.
  • All other administrator accounts can configure only the VDOM to which they are assigned. The following changes are specific to the web-based manager:
  • In the Global view, the System section of the left-hand menu is renamed to Global, and includes a VDOM sub- menu.
  • The Log Config menu is moved from Log & Report into the new Global section.
  • For admin accounts using the super_admin profile, a new section called Virtual Domains is added at the bottom of the left-hand menu. It lists all the individual VDOMs as expandable menus, with all VDOM specific options in that menu, which allows you to easily select which VDOM to configure, including the root VDOM.

In the CLI, admin accounts using the super_admin profile must specify either the global or a VDOM-specific shell before entering commands:

  • To change FortiGate unit system settings, from the top level you must first enter the following CLI before entering commands:

config global

  • To change VDOM settings, from the top level you must first enter the following CLI before entering commands for that VDOM:

config vdom

edit <vdom_name>

Settings configured outside of a VDOM are called global settings. These settings affect the entire FortiGate unit and include areas such as interfaces, HA, maintenance, some antivirus settings, and some logging settings. In general, any unit settings that should only be changed by the top level administrator are global settings.

Settings configured configwithin a VDOM are called VDOM settings. These settings affect only that specific VDOM and include areas such as operating mode, routing, firewall, VPN, some antivirus, some logging, and reporting.

 

Viewing the VDOM list

The VDOM list shows all virtual domains, their status, and which VDOM is the management VDOM. It is accessible if you are logged in on an administrator account with the super_admin profile such as the “admin” administrator account.

In the VDOM list you can create or delete VDOMs, edit VDOMs, change the management VDOM, and enable or disable VDOMs.

You can access the VDOM list when viewing by going to Global > System > VDOM.

The root domain cannot be disabled, even if it is not the management VDOM.

 

Global and per-VDOM settings

Settings configured outside of a VDOM are called global settings. These settings affect the entire FortiGate unit and include areas such as interfaces, HA, maintenance, some antivirus, and some logging. In general, any unit settings that should only be changed by the top level administrator are global settings.

Settings configured within a VDOM are called VDOM settings. These settings affect only that specific VDOM and include areas such as operating mode, routing, firewall, VPN, some antivirus, some logging settings, and reporting.

When Virtual Domains are not enabled, the entire FortiGate unit is effectively a single VDOM. Per-VDOM limits apply. For some resource types, the global limit cannot be reached with only one VDOM.

 

Resource settings

Your FortiGate unit has a limited amount of hardware resources such as memory, disk storage, CPU operations. When Virtual Domains are disabled, this limit is not a major concern because all sessions, users, and other processes share all the resources equally.

When using Virtual Domains, hardware resources can be divided differently between Virtual Domains as they are needed. Minimum levels of resources can be specified for each VDOM, so that no Virtual Domain will suffer a complete lack of resources.

For example, if one VDOM has only a web server and logging server connected, and a second VDOM has an internal network of 20 users, these two VDOMs will require different levels of resources. The first VDOM will require many sessions but no user accounts. This compares to the second VDOM where user accounts and management resources are required, but fewer sessions.

Using the global and per-VDOM resource settings, you can customize the resources allocated to each VDOM to ensure the proper level of service is maintained on each VDOM.

 

Global resource settings

Global Resources apply to the whole FortiGate unit. They represent all of the hardware capabilities of your unit. By default the values are set to their maximum values. These values vary by your model due to each model having differing hardware capabilities.

It can be useful to change the maximum values for some resources to ensure there is enough memory available for other resources that may be more important to your configuration.

To use the earlier example, if your FortiGate unit is protecting a number of web servers and other publicly accessible servers you would want to maximize the available sessions and proxies while minimizing other settings that are unused such as user settings, VPNs, and dial-up tunnels.

Global Resources are only configurable at the global level, and only the admin account has access to these settings. To view the resource list, go to Global > System > Global Resources. You can also use the following CLI command:

config global

config system resource-limits get

Note that global resources, such as the log disk quota resource, will only be visible if your FortiGate unit hardware supports those resources, such as having a hard disk to support the log disk resource.

For explicit proxies, when configuring limits on the number of concurrent users, you need to allow for the number of users based on their authentication method. Other- wise you may run out of user resources prematurely.

Each session-based authenticated user is counted as a single user using their authen- tication membership (RADIUS, LDAP, FSAE, local database etc.) to match users in other sessions. So one authenticated user in multiple sessions is still one user.

For all other situations, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

 

PerVDOM resource settings

While Global resources apply to resources shared by the whole FortiGate unit, per-VDOM resources are specific to only one Virtual Domain.

By default all the per-VDOM resource settings are set to no limits. This means that any single VDOM can use up all the resources of the entire FortiGate unit if it needs to do so. This would starve the other VDOMs for resources to the point where they would be unable to function. For this reason, it is recommended that you set some maximums on resources that are most vital to your customers.

Each Virtual Domain has its own resource settings. These settings include both maximum, and minimum levels. The maximum level is the highest amount of that resource that this VDOM can use if it is available on the FortiGate unit. Minimum levels are a guaranteed level that this minimum level of the resource will always be available no matter what the other VDOMs may be using.

For example, consider a FortiGate unit that has ten VDOMs configured. vdom1 has a maximum of 5000 sessions and a minimum of 1000 sessions. If the FortiGate unit has a global maximum of 20,000 sessions, it is possible that vdom1 will not be able to reach its 5000 session upper limit. However, at all times vdom1 is guaranteed to have 1000 sessions available that it can use. On the other hand, if the remaining nine VDOMs use only 1000 sessions each, vdom1 will be able to reach its maximum of 5000.

 

To view per-VDOM resource settings – web-based manager:

1. Select Global > System > VDOM.

2. Select the root VDOM, and select Edit.

3. Adjust the settings in the Resource Usage section of the page.

4. Select OK.

 

To view per-VDOM resource settings – CLI:

config global

config system vdom-property edit root

get

 

Virtual Domain Licensing

For select FortiGate models in the 1U category and higher, you can purchase a license key to increase the maximum number of VDOMs. Most Enterprise and Large Enterprise (2U) models can support up to 500 VDOMs. Chassis-based models can support over 500 VDOMs. For specific information, see the product data sheet.

Configuring 500 or more VDOMs will result in reduced system performance. See Troubleshooting Virtual Domains.

Your FortiGate unit has limited resources that are divided among all configured VDOMs. These resources include system memory and CPU. Running security fea- tures on many VDOMs at once can limit resources available for basic processing. If you require many VDOMs, all with active security features, it is recommended to upgrade to a more powerful FortiGate unit.

It is important to backup your configuration before upgrading the VDOM license on your FortiGate unit or units, especially with FortiGate units in HA mode.

 

To obtain a VDOM license key

1. Log in with a super_admin account.

2. Go to the Dashboard.

3. Record your FortiGate unit serial number as shown in System Information widget.

4. In the License Information widget, locate Virtual Domain and select Purchase More.

 

If you do not see the Purchase More option on the System Dashboard, your FortiGate model does not support more than 10 VDOMs.

5. You will be taken to the Fortinet customer support website where you can log in and purchase a license key for 25,50, 100, 250, 500, or more VDOMs.

6. When you receive your license key, go to the Dashboard and select Upload License under License

Information, Virtual Domains.

7. In the Input License Key field, enter the 32-character license key you received from Fortinet customer support.

8. Select Apply.

To verify the new VDOM license, in global configuration go to System > Dashboard. Under License

Information, Virtual Domains the maximum number of VDOMs allowed is shown.

VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total num- ber of registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer Administration Guide.

 

Logging in to VDOMs

Management services communicate using the management VDOM, which is the root VDOM by default.

Management traffic requires an interface that has access to the Internet. If there is no interface assigned to the VDOM containing the management traffic, services including updates will not function.

 

To access a VDOM with a super_admin account – web-based manager:

1. Log in with a super_admin account.

2. In the Virtual Domains menu on the left-hand side, select the VDOM to configure.

The menu will expand to show the various pages and settings for that VDOM.

3. When you have finished configuring the VDOM, you can

  • open the Global menu to return to global configuration
  • log out

 

To access a VDOM with a super_admin account – CLI:

With the super_admin, logging into the CLI involves also logging into the specific VDOM. If you need a reminder, use edit ? to see a list of existing VDOMs before you editing a VDOM.

If you misspell a VDOM you are trying to switch to, you will create a new VDOM by that name. Any changes you make will be part of the new VDOM, and not the intended VDOM. If you are having problems where your changes aren’t visible, back up to the top level and use edit ? to see a list of VDOMs to ensure this has not happened. If it has happened, see Enabling and accessing Virtual Domains.

config vdom edit ?

edit <chosen_vdom>

..

<enter vdom related commands>

.. end

exit

 

To access a VDOM with a non super_admin account – web-based manager:

1. Connect to the FortiGate unit using an interface that belongs to the VDOM to be configured.

2. Log in using an administrator account that has access to the VDOM.

The main web-based manager page opens. The interface is largely the same as if the device has VDOMs disabled. From here you can access VDOM-specific settings.

 

To access a VDOM with a non-super_admin account – CLI:

A non-super_admin account has access to only one VDOM and must log in through an interface that belongs to the same VDOM, but the process is the same as logging into a non-VDOM unit.

Login: regular_admin

Password: <password>

..

<enter vdom related commands>

.. exit

Benefits of Virtual Domains

Benefits of Virtual Domains

VDOMs provide the following benefits:

  • Easier administration
  • Continued security
  • Savings in physical space and power
  • Improving Transparent mode configuration
  • More flexible MSSP configurations

 

Easier administration

VDOMs provide separate security domains that allow separate zones, user authentication, firewall policies, routing, and VPN configurations. VDOMs separate security domains and simplify administration of complex configurations—you do not have to manage as many settings at one time.

By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the unit’s physical interfaces, modem, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings.

Also, you can optionally assign an administrator account restricted to one VDOM. If the VDOM is created to serve an organization, this feature enables the organization to manage its own configuration.

Each physical FortiGate unit requires a FortiGuard license to access security updates. VDOMs do not require any additional FortiGuard licenses, or updating — all the security updates for all the VDOMs are performed once per update at the global level. Combined this can be a potentially large money and time saving feature in your network.

Management systems such as SNMP, logging, alert email, FDN-based updates, and NTP-based time setting use addresses and routing in the management VDOM to communicate with the network. They can connect only to network resources that communicate with the management VDOM. Using a separate VDOM for management traffic enables easier management of the FortiGate unit global settings, and VDOM administrators can also manage their VDOMs more easily.

 

Continued security

When a packet enters a VDOM, it is confined to that VDOM and is subject to any firewall policies for connections between VLAN subinterfaces or zones in that VDOM, just like those interfaces on a FortiGate unit without VDOMs enabled.

To travel between VDOMs, a packet must first pass through a firewall policy on a physical interface. The packet then arrives at another VDOM on that same FortiGate unit, but on a different interface, where it must pass through another firewall before entering. It doesn’t matter if the interface is physical or virtual — inter-VDOM packets still require the same security measures as when passing through physical interfaces.

VDOMs provide an additional level of security because regular administrator accounts are specific to one VDOM— an administrator restricted to one VDOM cannot change information on other VDOMs. Any configuration changes and potential errors will apply only to that VDOM and limit any potential down time. Using this concept, you can farther split settings so that the management domain is only accessible by the super_admin and does not share any settings with the other VDOMs.

 

Savings in physical space and power

To increase the number of physical FortiGate units, you need more rack space, cables, and power to install the new units. You also need to change your network configuration to accommodate the new physical units. In the future, if you need fewer physical units you are left with expensive hardware that is idle.

Increasing VDOMs involves no additional hardware, no additional cabling, and very few changes to existing networking configurations. VDOMs save physical space and power. You are limited only by the size of the VDOM license you buy and the physical resources on the FortiGate unit.

For example, if you are using one FortiGate 620B unit with 10 VDOMs instead of 10 physical units, over a year you will save an estimated 18,000 kWh. You could potentially save ten times that amount with a 100 VDOM license.

By default, most FortiGate units support 10 VDOMs. Many FortiGate models support purchasing a license key to increase the maximum number.

 

Improving Transparent mode configuration

When VDOMs are not enabled and you put your FortiGate unit into Transparent mode, all the interfaces on your unit become broadcast interfaces. The problem with this is that there are no interfaces free to do anything else.

With multiple VDOMs you can have one of them configured in Transparent mode, and the rest in NAT/Route mode. In this configuration, you have an available transparent mode FortiGate unit you can drop into your network for troubleshooting, and you also have the standard NAT for networking.

 

More flexible MSSP configurations

If you are a managed security and service provider (MSSP), VDOMs are fundamental to your business. As a service provider you have multiple customers, each with their own needs and service plans. VDOMs allow you to have a separate configuration for each customer, or group of customers; with up to 500 VDOMs configured per FortiGate unit on high end models.

Not only does this provide the exact level of service needed by each customer, but administration of the FortiGate unit is easier as well – you can provide uninterrupted service generally with immediate changes as required. Most importantly, it allows you to only use the resources that each customer needs. Inter-VDOM links allow you to customize the level of interaction you need between each of your customers and your administrators.

Chapter 27 – Virtual Domains

Chapter 27 – Virtual Domains

  • Virtual Domains in NAT/Route mode on page 2602detailed explanations and examples for configuring VDOM features for a FortiGate in NAT/Route mode.
  • Virtual Domains in Transparent mode on page 2621detailed explanations and examples for configuring VDOM features for a FortiGate in Transparent mode.
  • Inter-VDOM routing on page 2638: concepts and scenarios for inter-VDOM routing.
  • Troubleshooting Virtual Domains on page 2671diagnostic and troubleshooting information for some potential VDOM issues.

 

Before you begin using this guide, take a moment to note the following:

  • By default, most FortiGate units support 10 VDOMs. Many FortiGate models support purchasing a license key to increase the maximum number
  • This guide uses a FortiGate unit with interfaces named port1 through port4 for examples and procedures. The interface names on some models will vary. Where possible aliases for these ports are indicated to show their intended purpose and to help you determine which ports to use if your ports are labelled differently.
  • Administrators are assumed to be super_admin administrators unless otherwise specified. Some restrictions will apply to other administrators.

 

Virtual Domains Overview

Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs can provide separate firewall policies and, in NAT/Route mode, completely separate configurations for routing and VPN services for each connected network or organization.

This chapter will cover the basics of VDOMs, how they change your FortiGate unit, and how to work with VDOMs. VDOMs let you split your physical FortiGate unit into multiple virtual units. The resulting benefits range from limiting Transparent mode ports to simplified administration, to reduced space and power requirements.

When VDOMs are disabled on any FortiGate unit, there is still one VDOM active: the root VDOM. It is always there in the background. When VDOMs are disabled, the root VDOM is not visible but it is still there.

The root VDOM must be there because the FortiGate unit needs a management VDOM for management traffic among other things. It is also why when you enable VDOMs, all your configuration is preserved in the root VDOM- because that is where you originally configured it.

 

This section includes:

  • Benefits of Virtual Domains
  • Enabling and accessing Virtual Domains
  • Configuring Virtual Domains