Fortigate VDOM

on

 

# config system global

    set vdom-mode multi-vdom     <------- This should be typed in manually. There is no auto-display.
end


***
diag debug vm-print-license
***



Global settings

Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as interfaces, firmware, DNS, some logging and sandboxing options, and so on. Global settings should only be changed by top level administrator


Global and per-VDOM resources

Global and per-VDOM resources can be configured when the FortiGate is in multi VDOM mode. Global resources apply to resources that are shared by the whole FortiGate, while per-VDOM resources are specific to each VDOM.

By default, all per-VDOM resource settings are set to have no limits. This means that any single VDOM can use all of the FortiGate device's resources.


VDOM types

Admin

Traffic

LAN extension


When the VDOM type is set to Admin, the VDOM is used to administer and manage the FortiGate. Usually, the Admin VDOM resides in a management network which is only accessible by administrators. Global and VDOM administrators can log in to the FortiGate using SSH, HTTPS, and so on but traffic cannot pass through this Admin VDOM. A FortiGate does not need to have an Admin VDOM and, at most, there can only be one Admin VDOM per FortiGate.

When VDOM type is set to Traffic, the VDOM can pass traffic like a regular firewall. Most VDOMs will be Traffic type VDOMs. Network interfaces on a Traffic VDOM can also enable SSH, HTTPS, and so on for administrative and management purposes.

In general, an Admin VDOM has a subset of a Traffic VDOM’s capabilities. 

A LAN extension mode VDOM allows a remote FortiGate to provide remote connectivity to a local FortiGate over a backhaul connection. It can only be configured in the CLI.


Management VDOM

The management VDOM refers to the specific role that must be designated to one of the VDOMs. 

By default, the root VDOM is the management VDOM, and management-related services such as FortiGuard updates and other local out (self-originating) traffic such as logs to remote servers originate from the management VDOM. The management VDOM cannot be deleted. 



??

Admin type VDOM is optional, root VDOM by default is Traffic type domain, and it has management VDOM role by default.


VM:

When change a new FG vm to multi-VDOM mode, there is traffic type root VDOM, which is also management VDOM.

Create a new VDOM got error on GUI, doesn't matter what type, the error doesn't really tell what is wrong, but from cli console, it has message "root vdom type must be admin to create new vdom". After change root vdom to type Admin, then we can create a traffic VDOM.

Only Global VDOM has FortiGuard connection.



Foritgate-70F
This firewall has 5 LAN interfaces (internal1 ~ internal5) , out of box, they are in VLAN switch called LAN(internal). It has VLAN ID 0.



1. In Global setting, System> VDOM, add a new VDOM, in this lab, named it VDOM12.









2. In Global Setting, create an new interface, under interface LAN(internal), set VLAN ID 12, assign it to  VDOM12.

















3. Go to VLAN12 VDOM, verify VLAN12 interface shows up.






4. VDOM link is required for VDOM12 to reach Internet vis root VDOM.





























5. Added default  route in VDOM12 















6. Add static route in root VDOM for network 172.16.12.0/24











7. Added firewall policy in VDOM12, disable NAT

















8. Add firewall policy in root VDOM, NAT is enabled.













9. Added a VDOM admin account, with Administrator Profile "prof_admin".




Comments

Post a Comment