Configuring Virtual Domains

Configuring Virtual Domains

Only a super_admin administrator account such as the default “admin” account can create, disable, or delete VDOMs. That account can create additional administrators for each VDOM. This section includes:

  • Creating a Virtual Domain
  • Disabling a Virtual Domain
  • Deleting a VDOM
  • Administrators in Virtual Domains

Creating a Virtual Domain

Once you have enabled Virtual Domains on your FortiGate unit, you can create additional Virtual Domains beyond the default root Virtual Domain.

By default new Virtual Domains are set to NAT/Route operation mode. If you want a Virtual Domain to be in Transparent operation mode, you must manually change it.

You can name new Virtual Domains as you like with the following restrictions:

  • only letters, numbers, “-”, and “_” are allowed
  • no more than 11 characters are allowed
  • no spaces are allowed
  • VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.

When creating large numbers of VDOMs you should not enable advanced features such as proxies, web filtering, and antivirus due to limited FortiGate unit resources. Also when creating large numbers of VDOMs, you may experience reduced per- formance for the same reason.

 

To create a VDOM – web-based manager:

1. Log in with a super_admin account.

2. Select Global > System > VDOM.

3. Select Create New.

4. Enter a unique name for your new VDOM.

5. Enter a short and descriptive comment to identify this VDOM.

6. Select OK.

Repeat Steps 3 through 6 to add additional VDOMs.

 

To create a VDOM – CLI:

config vdom

edit <new_vdom_name>

end

 

If you want to edit an existing Virtual Domain in the CLI, and mistype the name a new Virtual Domain will be created with this new misspelled name. If you notice expected configuration changes are not visible, this may be the reason. You should periodically check your VDOM list to ensure there are none of these misspelled VDOMs present.

 

Disabling a Virtual Domain

The status of a VDOM can be Enabled or Disabled.

Active status VDOMs can be configured. Active is the default status when a VDOM is created. The management VDOM must be an Active VDOM.

Disabled status VDOMs are considered “offline”. The configuration remains, but you cannot use the VDOM, and only the super_admin administrator can view it. You cannot delete a disabled VDOM without first enabling it, and removing references to it like usual—there is no Delete icon for disabled status VDOMs. You can assign interfaces to a disabled VDOM.

The following procedures show how to disable a VDOM called “test-vdom”.

 

To disable a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Open the VDOM for editing.

3. Ensure Enable is not selected and then select OK.

The VDOM’s Enable icon in the VDOM list is a grey X.

 

To disable a VDOM – CLI:

config vdom

edit test-vdom

config system settings set status disable

end

end

 

To enable a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Open the VDOM for editing.

3. Ensure Enable is selected and then select OK.

The VDOM’s Enable icon in the VDOM list is a green checkmark.

 

To enable a VDOM – CLI:

config vdom

edit test-vdom

config system settings set status enable

end

end

 

Deleting a VDOM

Deleting a VDOM removes it from the FortiGate unit configuration.

Before you can delete a VDOM, all references to it must be removed, including any per-VDOM objects. If there are any references to the VDOM remaining, you will see an error message and not be able to delete the VDOM.

A disabled VDOM cannot be deleted. You can also not delete the root VDOM or the management VDOM.

Before deleting a VDOM, a good practice is to reset any interface referencing that VDOM to its default configuration, with “root” selected as the Virtual Domain.

The following procedures show how to delete the test-vdom VDOM.

 

To delete a VDOM – web-based manager:

1. Go to Global > System > VDOM.

2. Select the check box for the VDOM and then select the Delete icon.

If the Delete icon is not active, there are still references to the VDOM that must first be removed. The Delete icon is available when all the references to this VDOM are removed.

3. Confirm the deletion.

 

To delete a VDOM – CLI:

config vdom

delete test-vdom end

 

Removing references to a VDOM

When you are going to delete a VDOM, all references to that VDOM must first be removed. It can be difficult to find all the references to the VDOM. This section provides a list of common objects that must be removed before a VDOM can be deleted, and a CLI command to help list the dependencies.

Interfaces are an important part of VDOMs. If you can move all the interfaces out of a VDOM, generally you will be able to delete that VDOM.

 

Common objects that refer to VDOMs

When you are getting ready to delete a VDOM check for, and remove the following objects that refer to that VDOM or its components:

  • Routing – both static and dynamic routes
  • Firewall addresses, policies, groups, or other settings
  • Security Features/Profiles
  • VPN configuration
  • Users or user groups
  • Logging
  • DHCP servers
  • Network interfaces, zones, custom DNS servers
  • VDOM Administrators

 

Administrators in Virtual Domains

When Virtual Domains are enabled, permissions change for administrators. Administrators are now divided into per-VDOM administrators, and super_admin administrators. Only super_admin administrator accounts can create other administrator accounts and assign them to a VDOM.

 

Administrator VDOM permissions

Different types of administrator accounts have different permissions within VDOMs. For example, if you are using a super_admin profile account, you can perform all tasks. However, if you are using a regular admin account, the tasks available to you depend on whether you have read only or read/write permissions. The following table shows what tasks can be performed by which administrators.

 

Administrator VDOM permissions

Tasks

Regular administrator account

Super_admin profile admin-

 

Read only per-

mission

Read/write per-

mission

istrator account

View global settings                 yes                             yes                             yes

Configure global settings       no                               no                               yes

Create or delete VDOMs           no                               no                               yes

Configure multiple VDOMs     no                               no                               yes

Assign interfaces to a VDOM

Revision Control Backup and Restore

no                               no                               yes

no                               no                               yes

Create VLANs                            no                               yes – for 1 VDOM        yes – for all VDOMs

Assign an administrator to a VDOM

no                               no                               yes
Create additional admin accounts

Create and edit protection profiles

no                               yes – for 1 VDOM        yes – for all VDOMs

no                               yes – for 1 VDOM        yes – for all VDOMs

The only difference in admin accounts when VDOMs are enabled is selecting which VDOM the admin account belongs to. Otherwise, by default the administration accounts are the same as when VDOMs are disabled and closely resemble the super_admin account in their privileges.

 

Creating administrators for Virtual Domains

Using the admin administrator account, you can create additional administrator accounts and assign them to VDOMs.

The newly-created administrator can access the FortiGate unit only through network interfaces that belong to their assigned VDOM or through the console interface. The network interface must be configured to allow management access, such as HTTPS and SSH. Without these in place, the new administrator will not be able to access the FortiGate unit and will have to contact the super_admin administrator for access.

The following procedure creates a new Local administrator account called admin_sales with a password of fortinet in the sales VDOM using the admin_prof default profile.

 

To create an administrator for a VDOM – web-based manager:

1. Log in with a super_admin account.

2. Go to System > Administrators.

3. Select Create New.

4. Select Regular for Type, as you are creating a Local administrator account.

5. Enter the necessary information about the administrator: email, password, etc.

6. If this admin will be accessing the VDOM from a particular IP address or subnet, enable Restrict this Admin

Login from Trusted Hosts Only and enter the IP in Trusted Host #1.

7. Select prof_admin for the Admin Profile.

8. Select sales from the list of Virtual Domains.

9. Select OK.

 

To create administrators for VDOMs – CLI:

config global

config system admin

edit <new_admin_name>

set vdom <vdom_for_this_account>

set password <pwd>

set accprofile <an_admin_profile>

… end

 

Virtual Domain administrator dashboard display

When administrators logs into their virtual domain, they see a different dashboard than the global administrator will see. The VDOM dashboard displays information only relevant to that VDOM — no global or other VDOM information is displayed.

 

VDOM dashboard information

 

Information perVDOM Global
 

System Information

 

read-only

 

yes

 

License Information

 

no

 

yes

 

CLI console

 

yes

 

yes

 

Unit Operation

 

read-only

 

yes

 

Alert Message Console

 

no

 

yes

 

Top Sessions

 

limited to VDOM sessions

 

yes

 

Traffic

 

limited to VDOM interfaces

 

yes

 

Statistics

 

yes

 

yes

This entry was posted in FortiOS, FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.