Fortinet black logo

Handbook

Virtual domains

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:337712
Download PDF

Virtual domains

Virtual domains (VDOMs) are a method of dividing a FortiGate into two or more virtual units that function as multiple independent units. A single FortiGate is then flexible enough to serve multiple departments of an organization, separate organizations, or to act as the basis for a service provider’s managed security service.

VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations. By default, each FortiGate has a VDOM named root. This VDOM includes all of the FortiGate physical interfaces, modem, virtual LAN (VLAN) subinterfaces, zones, security policies, routing settings, and VPN settings.

When a packet enters a VDOM, it's confined to that VDOM. In a VDOM, you can create security policies for connections between VLAN subinterfaces or zones in the VDOM. Packets don't cross the virtual domain border internally. To travel between VDOMs, a packet must pass through a firewall on a physical interface. The packet then arrives at another VDOM on a different interface, but it must pass through another firewall before entering the VDOM. Both VDOMs are on the same FortiGate. Inter-VDOMs change this behavior because they are internal interfaces. However, their packets go through all the same security measures as on physical interfaces.

The following example shows how to enable VDOMs on a FortiGate and the basic and create a VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM. First, enable VDOMs on the FortiGate. When you enable VDOMs, the FortiGate will log you out.

For desktop and low-end FortiGate devices, you use the CLI to enable VDOMs. Once you enable VDOMs, all further configuration can be done using the GUI or the CLI. On larger FortiGate units, you can use the GUI or the CLI to enable VDOMs.

To enable VDOMs - GUI:
  1. Go to System > Settings.
  2. Enable the Virtual Domains option.
  3. Select OK.

The FortiGate logs you out. Once you log back in, you'll notice that the menu structure has changed. This reflects the global settings for all VDOMs:

To enable VDOMs – CLI

config system global

set vdom-admin enable

end

Next, add the VDOM called accounting.

To add a VDOM – GUI
  1. Go to System > VDOM, and select Create New.
  2. Enter the VDOM name accounting.
  3. Select OK.
To add a VDOM - CLI:

config vdom

edit <new_vdom_name>

end

With the VDOM created, you can assign a physical interface to it and assign it an IP address.

To assign physical interface to the accounting VDOM – GUI
  1. Go to Network > Interfaces.
  2. Select the DMZ2 port row and select Edit.
  3. For the Virtual Domain drop-down list, select accounting.
  4. Select the Addressing mode of Manual.
  5. Enter the IP address for the port of 10.13.101.100/24.
  6. Set the Administrative Access to HTTPS and SSH.
  7. Select OK.
To assign physical interface to the accounting VDOM – CLI

config global

config system interface

edit dmz2

set vdom accounting

set ip 10.13.101.100/24

set allowaccess https ssh

next

end

Virtual domains

Virtual domains (VDOMs) are a method of dividing a FortiGate into two or more virtual units that function as multiple independent units. A single FortiGate is then flexible enough to serve multiple departments of an organization, separate organizations, or to act as the basis for a service provider’s managed security service.

VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations. By default, each FortiGate has a VDOM named root. This VDOM includes all of the FortiGate physical interfaces, modem, virtual LAN (VLAN) subinterfaces, zones, security policies, routing settings, and VPN settings.

When a packet enters a VDOM, it's confined to that VDOM. In a VDOM, you can create security policies for connections between VLAN subinterfaces or zones in the VDOM. Packets don't cross the virtual domain border internally. To travel between VDOMs, a packet must pass through a firewall on a physical interface. The packet then arrives at another VDOM on a different interface, but it must pass through another firewall before entering the VDOM. Both VDOMs are on the same FortiGate. Inter-VDOMs change this behavior because they are internal interfaces. However, their packets go through all the same security measures as on physical interfaces.

The following example shows how to enable VDOMs on a FortiGate and the basic and create a VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM. First, enable VDOMs on the FortiGate. When you enable VDOMs, the FortiGate will log you out.

For desktop and low-end FortiGate devices, you use the CLI to enable VDOMs. Once you enable VDOMs, all further configuration can be done using the GUI or the CLI. On larger FortiGate units, you can use the GUI or the CLI to enable VDOMs.

To enable VDOMs - GUI:
  1. Go to System > Settings.
  2. Enable the Virtual Domains option.
  3. Select OK.

The FortiGate logs you out. Once you log back in, you'll notice that the menu structure has changed. This reflects the global settings for all VDOMs:

To enable VDOMs – CLI

config system global

set vdom-admin enable

end

Next, add the VDOM called accounting.

To add a VDOM – GUI
  1. Go to System > VDOM, and select Create New.
  2. Enter the VDOM name accounting.
  3. Select OK.
To add a VDOM - CLI:

config vdom

edit <new_vdom_name>

end

With the VDOM created, you can assign a physical interface to it and assign it an IP address.

To assign physical interface to the accounting VDOM – GUI
  1. Go to Network > Interfaces.
  2. Select the DMZ2 port row and select Edit.
  3. For the Virtual Domain drop-down list, select accounting.
  4. Select the Addressing mode of Manual.
  5. Enter the IP address for the port of 10.13.101.100/24.
  6. Set the Administrative Access to HTTPS and SSH.
  7. Select OK.
To assign physical interface to the accounting VDOM – CLI

config global

config system interface

edit dmz2

set vdom accounting

set ip 10.13.101.100/24

set allowaccess https ssh

next

end