Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. A single FortiGate unit is then flexible enough to serve multiple departments of an organization, separate organizations, or to act as the basis for a service provider’s managed security service.
VDOMs provide separate security domains that allow separate zones, user authentication, security policies, routing, and VPN configurations. By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the FortiGate physical interfaces, modem, VLAN subinterfaces, zones, security policies, routing settings, and VPN settings.
When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create security policies for connections between Virtual LAN (VLAN) subinterfaces or zones in the VDOM. Packets do not cross the virtual domain border internally. To travel between VDOMs, a packet must pass through a firewall on a physical interface. The packet then arrives at another VDOM on a different interface, but it must pass through another firewall before entering the VDOM Both VDOMs are on the same FortiGate unit. Inter-VDOMs change this behavior in that they are internal interfaces; however their packets go through all the same security measures as on physical interfaces.
This example shows how to enable VDOMs on the FortiGate unit and the basic and create a VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM. First enable Virtual Domains on the FortiGate unit. When you enable VDOMs, the FortiGate unit will log you out.
For desktop and low-end FortiGate units, VDOMs are enabled using the CLI. On larger FortiGate units, you can enable on the web-based manager or the CLI. Once enabled all further configuration can me made in the web- based manager or CLI.
To enable VDOMs – web-based manager
1. Go to System > Dashboard > Status.
2. In the System Information widget, select Enable for Virtual Domain.
The FortiGate unit logs you out. Once you log back in, you will notice that the menu structure has changed. This reflects the global settings for all Virtual Domains
To enable VDOMs – CLI
config system global
set vdom-admin enable end
Next, add the VDOM called accounting.
To add a VDOM – web-based manager
1. Go to System > VDOM > VDOM, and select Create New.
2. Enter the VDOM name accounting.
3. Select OK.
To add a VDOM – CLI
config vdom
edit <new_vdom_name>
end
With the Virtual Domain created, you can assign a physical interface to it, and assign it an IP address.
To assign physical interface to the accounting Virtual Domain – web-based manager
1. Go to System > Network > Interface.
2. Select the DMZ2 port row and select Edit.
3. For the Virtual Domain drop-down list, select accounting.
4. Select the Addressing Mode of Manual.
5. Enter the IP address for the port of 10.13.101.100/24.
6. Set the Administrative Access to HTTPS and SSH.
7. Select OK.
To assign physical interface to the accounting Virtual Domain – CLI
config global
config system interface edit dmz2
set vdom accounting
set ip 10.13.101.100/24 set allowaccess https ssh
next end
How to remove a physical interface from a Vdom using CLI?
Config global
config sys int
edit INTERFACENAME
set VDOM VDOMNAMEHERE
next
end