Enabling and accessing Virtual Domains
While Virtual Domains are essentially the same as your regular FortiGate unit for menu configuration, CLI command structure, and general task flow, there are some small differences.
After first enabling VDOMs on your FortiGate unit, you should take the time to familiarize yourself with the interface. This section will help walk you through virtual domains.
This section includes:
- Enabling Virtual Domains
- Viewing the VDOM list
- Global and per-VDOM settings
- Resource settings
- Virtual Domain Licensing
- Logging in to VDOMs
Enabling Virtual Domains
Using the default admin administration account, you can enable or disable VDOM operation on the FortiGate unit.
To enable VDOM configuration – web-based manager:
1. Log in with a super_admin account.
2. Go to the Dashboard.
3. In the System Information widget, locate Virtual Domain. Select Enable and confirm your selection. The FortiGate unit logs off all sessions. You can now log in again as admin.
To enable VDOM configuration – CLI:
config system global
set vdom-admin enable end
Changes to the web-based manager and CLI
When Virtual Domains are enabled, your FortiGate unit will change. The changes will be visible in both the web- based manager and CLI, just the web-based manager, or just the CLI.
When enabling VDOMs, the web-based manager and the CLI are changed as follows:
- Global and per-VDOM configurations are separated. This is indicated in the Online Help by Global and VDOM icons.
- Only admin accounts using the super_admin profiles can view or configure global options
- Admin accounts using the super_admin profile can configure all VDOM configurations.
- All other administrator accounts can configure only the VDOM to which they are assigned. The following changes are specific to the web-based manager:
- In the Global view, the System section of the left-hand menu is renamed to Global, and includes a VDOM sub- menu.
- The Log Config menu is moved from Log & Report into the new Global section.
- For admin accounts using the super_admin profile, a new section called Virtual Domains is added at the bottom of the left-hand menu. It lists all the individual VDOMs as expandable menus, with all VDOM specific options in that menu, which allows you to easily select which VDOM to configure, including the root VDOM.
In the CLI, admin accounts using the super_admin profile must specify either the global or a VDOM-specific shell before entering commands:
- To change FortiGate unit system settings, from the top level you must first enter the following CLI before entering commands:
- To change VDOM settings, from the top level you must first enter the following CLI before entering commands for that VDOM:
Settings configured outside of a VDOM are called global settings. These settings affect the entire FortiGate unit and include areas such as interfaces, HA, maintenance, some antivirus settings, and some logging settings. In general, any unit settings that should only be changed by the top level administrator are global settings.
Settings configured configwithin a VDOM are called VDOM settings. These settings affect only that specific VDOM and include areas such as operating mode, routing, firewall, VPN, some antivirus, some logging, and reporting.
Viewing the VDOM list
The VDOM list shows all virtual domains, their status, and which VDOM is the management VDOM. It is accessible if you are logged in on an administrator account with the super_admin profile such as the “admin” administrator account.
In the VDOM list you can create or delete VDOMs, edit VDOMs, change the management VDOM, and enable or disable VDOMs.
You can access the VDOM list when viewing by going to Global > System > VDOM.
The root domain cannot be disabled, even if it is not the management VDOM.
Global and per-VDOM settings
Settings configured outside of a VDOM are called global settings. These settings affect the entire FortiGate unit and include areas such as interfaces, HA, maintenance, some antivirus, and some logging. In general, any unit settings that should only be changed by the top level administrator are global settings.
Settings configured within a VDOM are called VDOM settings. These settings affect only that specific VDOM and include areas such as operating mode, routing, firewall, VPN, some antivirus, some logging settings, and reporting.
When Virtual Domains are not enabled, the entire FortiGate unit is effectively a single VDOM. Per-VDOM limits apply. For some resource types, the global limit cannot be reached with only one VDOM.
Your FortiGate unit has a limited amount of hardware resources such as memory, disk storage, CPU operations. When Virtual Domains are disabled, this limit is not a major concern because all sessions, users, and other processes share all the resources equally.
When using Virtual Domains, hardware resources can be divided differently between Virtual Domains as they are needed. Minimum levels of resources can be specified for each VDOM, so that no Virtual Domain will suffer a complete lack of resources.
For example, if one VDOM has only a web server and logging server connected, and a second VDOM has an internal network of 20 users, these two VDOMs will require different levels of resources. The first VDOM will require many sessions but no user accounts. This compares to the second VDOM where user accounts and management resources are required, but fewer sessions.
Using the global and per-VDOM resource settings, you can customize the resources allocated to each VDOM to ensure the proper level of service is maintained on each VDOM.
Global resource settings
Global Resources apply to the whole FortiGate unit. They represent all of the hardware capabilities of your unit. By default the values are set to their maximum values. These values vary by your model due to each model having differing hardware capabilities.
It can be useful to change the maximum values for some resources to ensure there is enough memory available for other resources that may be more important to your configuration.
To use the earlier example, if your FortiGate unit is protecting a number of web servers and other publicly accessible servers you would want to maximize the available sessions and proxies while minimizing other settings that are unused such as user settings, VPNs, and dial-up tunnels.
Global Resources are only configurable at the global level, and only the admin account has access to these settings. To view the resource list, go to Global > System > Global Resources. You can also use the following CLI command:
config system resource-limits get
Note that global resources, such as the log disk quota resource, will only be visible if your FortiGate unit hardware supports those resources, such as having a hard disk to support the log disk resource.
For explicit proxies, when configuring limits on the number of concurrent users, you need to allow for the number of users based on their authentication method. Other- wise you may run out of user resources prematurely.
Each session-based authenticated user is counted as a single user using their authen- tication membership (RADIUS, LDAP, FSAE, local database etc.) to match users in other sessions. So one authenticated user in multiple sessions is still one user.
For all other situations, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.
Per–VDOM resource settings
While Global resources apply to resources shared by the whole FortiGate unit, per-VDOM resources are specific to only one Virtual Domain.
By default all the per-VDOM resource settings are set to no limits. This means that any single VDOM can use up all the resources of the entire FortiGate unit if it needs to do so. This would starve the other VDOMs for resources to the point where they would be unable to function. For this reason, it is recommended that you set some maximums on resources that are most vital to your customers.
Each Virtual Domain has its own resource settings. These settings include both maximum, and minimum levels. The maximum level is the highest amount of that resource that this VDOM can use if it is available on the FortiGate unit. Minimum levels are a guaranteed level that this minimum level of the resource will always be available no matter what the other VDOMs may be using.
For example, consider a FortiGate unit that has ten VDOMs configured. vdom1 has a maximum of 5000 sessions and a minimum of 1000 sessions. If the FortiGate unit has a global maximum of 20,000 sessions, it is possible that vdom1 will not be able to reach its 5000 session upper limit. However, at all times vdom1 is guaranteed to have 1000 sessions available that it can use. On the other hand, if the remaining nine VDOMs use only 1000 sessions each, vdom1 will be able to reach its maximum of 5000.
To view per-VDOM resource settings – web-based manager:
1. Select Global > System > VDOM.
2. Select the root VDOM, and select Edit.
3. Adjust the settings in the Resource Usage section of the page.
4. Select OK.
To view per-VDOM resource settings – CLI:
config system vdom-property edit root
Virtual Domain Licensing
For select FortiGate models in the 1U category and higher, you can purchase a license key to increase the maximum number of VDOMs. Most Enterprise and Large Enterprise (2U) models can support up to 500 VDOMs. Chassis-based models can support over 500 VDOMs. For specific information, see the product data sheet.
Configuring 500 or more VDOMs will result in reduced system performance. See Troubleshooting Virtual Domains.
Your FortiGate unit has limited resources that are divided among all configured VDOMs. These resources include system memory and CPU. Running security fea- tures on many VDOMs at once can limit resources available for basic processing. If you require many VDOMs, all with active security features, it is recommended to upgrade to a more powerful FortiGate unit.
It is important to backup your configuration before upgrading the VDOM license on your FortiGate unit or units, especially with FortiGate units in HA mode.
To obtain a VDOM license key
1. Log in with a super_admin account.
2. Go to the Dashboard.
3. Record your FortiGate unit serial number as shown in System Information widget.
4. In the License Information widget, locate Virtual Domain and select Purchase More.
If you do not see the Purchase More option on the System Dashboard, your FortiGate model does not support more than 10 VDOMs.
5. You will be taken to the Fortinet customer support website where you can log in and purchase a license key for 25,50, 100, 250, 500, or more VDOMs.
6. When you receive your license key, go to the Dashboard and select Upload License under License
Information, Virtual Domains.
7. In the Input License Key field, enter the 32-character license key you received from Fortinet customer support.
8. Select Apply.
To verify the new VDOM license, in global configuration go to System > Dashboard. Under License
Information, Virtual Domains the maximum number of VDOMs allowed is shown.
VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total num- ber of registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer Administration Guide.
Logging in to VDOMs
Management services communicate using the management VDOM, which is the root VDOM by default.
Management traffic requires an interface that has access to the Internet. If there is no interface assigned to the VDOM containing the management traffic, services including updates will not function.
To access a VDOM with a super_admin account – web-based manager:
1. Log in with a super_admin account.
2. In the Virtual Domains menu on the left-hand side, select the VDOM to configure.
The menu will expand to show the various pages and settings for that VDOM.
3. When you have finished configuring the VDOM, you can
- open the Global menu to return to global configuration
- log out
To access a VDOM with a super_admin account – CLI:
With the super_admin, logging into the CLI involves also logging into the specific VDOM. If you need a reminder, use edit ? to see a list of existing VDOMs before you editing a VDOM.
If you misspell a VDOM you are trying to switch to, you will create a new VDOM by that name. Any changes you make will be part of the new VDOM, and not the intended VDOM. If you are having problems where your changes aren’t visible, back up to the top level and use edit ? to see a list of VDOMs to ensure this has not happened. If it has happened, see Enabling and accessing Virtual Domains.
config vdom edit ?
<enter vdom related commands>
To access a VDOM with a non super_admin account – web-based manager:
1. Connect to the FortiGate unit using an interface that belongs to the VDOM to be configured.
2. Log in using an administrator account that has access to the VDOM.
The main web-based manager page opens. The interface is largely the same as if the device has VDOMs disabled. From here you can access VDOM-specific settings.
To access a VDOM with a non-super_admin account – CLI:
A non-super_admin account has access to only one VDOM and must log in through an interface that belongs to the same VDOM, but the process is the same as logging into a non-VDOM unit.
<enter vdom related commands>
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!