Inter-VDOM configurations

InterVDOM configurations

By using fewer physical interfaces to inter-connect VDOMs, inter-VDOM links provide you with more configuration options.

None of these configurations use VLANs to reduce the number of physical interfaces. It is generally assumed that an internal or client network will have its own internal interface and an external interface to connect to its ISP and the Internet.

These inter-VDOM configurations can use any FortiGate model with possible limitations based on the number of physical interfaces. VLANs can be used to work around these limitations.

There are four different types of inter-VDOM configurations:

  • Standalone VDOM
  • Independent VDOMs
  • Management VDOM
  • Meshed VDOM

 

Standalone VDOM

The standalone VDOM configuration uses a single VDOM on your FortiGate unit — the root VDOM that all FortiGate units have by default. This is the VDOM configuration you are likely familiar with. It is the default configuration for FortiGate units before you create additional VDOMs.

The configuration shown above has no VDOM inter-connections and requires no special configurations or settings.

The standalone VDOM configuration can be used for simple network configurations that only have one department or one company administering the connections, firewalls and other VDOM-dependent settings.

However, with this configuration, keeping client networks separate requires many interfaces, considerable firewall design and maintenance, and can quickly become time consuming and complex. Also, configuration errors for one client network can easily affect other client networks, causing unnecessary network downtime.

 

Independent VDOMs

The independent VDOMs configuration uses multiple VDOMs that are completely separate from each other. This is another common VDOM configuration.

This configuration has no communication between VDOMs and apart from initially setting up each VDOM, it requires no special configurations or settings. Any communication between VDOMs is treated as if communication is between separate physical devices.

The independent inter-VDOM configuration can be used where more than one department or one company is sharing the FortiGate unit. Each can administer the connections, firewalls and other VDOM-dependent settings for only its own VDOM. To each company or department, it appears as if it has its own FortiGate unit. This configuration reduces the amount of firewall configuration and maintenance required by dividing up the work.

However, this configuration lacks a management VDOM for VDOMs 1, 2, and 3. This is illustrated in Figure 50. This management VDOM would enable an extra level of control for the FortiGate unit administrator, while still allowing each company or department to administer its own VDOM.

 

Management VDOM

In the management VDOM configuration, the root VDOM is the management VDOM. The other VDOMs are connected to the management VDOM with inter-VDOM links. There are no other inter-VDOM connections.

The inter-VDOM links connect the management VDOM to the other VDOMs. This does not require any physical interfaces, and the bandwidth of inter-VDOM links can be faster than physical interfaces, depending on the CPU workload.

Only the management VDOM is connected to the Internet. The other VDOMs are connected to internal networks. All external traffic is routed through the management VDOM using inter-VDOM links and firewall policies between the management VDOM and each VDOM. This ensures the management VDOM has full control over access to the Internet, including what types of traffic are allowed in both directions. There is no communication directly between the non-root VDOMs. Security is greatly increased with only one point of entry and exit. Only the management VDOM needs to be fully managed to ensure network security in this case. Each client network can manage its own configuration without compromising security or bringing down another client network.

The management VDOM configuration is ideally suited for a service provider business. The service provider administers the management VDOM with the other VDOMs as customers. These customers do not require a dedicated IT person to manage their network. The service provider controls the traffic and can prevent the customers from using banned services and prevent Internet connections from initiating those same banned services. One example of a banned service might be Instant Messaging (IM) at a company concerned about intellectual property. Another example could be to limit bandwidth used by file-sharing applications without banning that application completely. Firewall policies control the traffic between the customer VDOM and the management VDOM and can be customized for each customer.

The management VDOM configuration is limited in that the customer VDOMs have no inter-connections. In many situations this limitation is ideal because it maintains proper security. However, some configurations may require customers to communicate with each other, which would be easier if the customer VDOMs were inter- connected.

 

Meshed VDOM

The meshed VDOMs configuration, including partial and full mesh, has VDOMs inter-connected with other VDOMs. There is no special feature to accomplish this—they are just complex VDOM configurations.

Partial mesh means only some VDOMs are inter-connected. In a full mesh configuration, all VDOMs are inter- connected to all other VDOMs. This can be useful when you want to provide full access between VDOMs but handle traffic differently depending on which VDOM it originates from or is going to.

With full access between all VDOMs being possible, it is extra important to ensure proper security. You can achieve this level of security by establishing extensive firewall policies and ensuring secure account access for all administrators and users.

Meshed VDOM configurations can become complex very quickly, with full mesh VDOMs being the most complex. Ensure this is the proper solution for your situation before using this configuration. Generally, these configurations are seen as theoretical and are rarely deployed in the field.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

10 thoughts on “Inter-VDOM configurations

  1. Aliou

    Hello. Thanks for this useful post.

    I am a bit confused regarding the sentence “Only the management VDOM is connected to the Internet”. is this a must or just a recommendation?
    I have a network with internal, External (internet) and DMZ and i want to use vdoms. I was thinking of using a vdom for External (mgmt vdom) and another vdom Internal. the DMZ vlans will be part of both VDOMs.
    Internet————-VDOM Ext–\———|———/—-VDOM Int————–Internal network
    |
    DMZ
    |
    what are your thought on this solution? Is this a good practice?

    Thanks

    Reply
    1. Mike Post author

      VDOMs give you pretty serious configuration options. Incredibly flexible. When the post says that only the management VDOM is connected to the internet it means that is the VDOM that is utilized for FortiGuard etc lookups. So you need to ensure policies etc are configured as such to allow its communication.

      Reply
  2. Tony

    Hi Mike,
    Quick question; I’m sharing a FG-100D between 3 companies while using an independent VDOM topology. So basically, each company got its own WAN and some LAN ports. The problem I have is that I’m not sure how to connect the global VDOM to the internet so I keep my FG-100D up to date with all the signatures.

    Any thoughts?

    Cheers,
    Tony

    Reply
    1. Mike Post author

      Tony,
      Do you allow each company to manage their own VDOM? If so, you can setup a “MGMT” VDOM that you set to be the primary. FortiGuard traffic will go over the default / main VDOM automatically. If they don’t manage their own VDOM and you just break it apart for separation and organization purposes then you can just make one of their VDOMs be the VDOM that FortiGuard uses.

      Reply
  3. Tony

    Hi Mike,
    Thanks for your replay.
    So, you’re saying I should create another VDOM called MGMT apart from root and even if that one doesn’t have any WAN interfaces configured with a public IP, it will be able to reach Fortiguard automatically if I change its role to management VDOM ? 3 companies are sharing the fortigate maybe 5 in the near future and yes, they have to have the feeling, when logging in, that they have and manage their own fortigate. What if I make one of the companies’s VDOM the management one ?
    Not to mention that apparently I lost the DDNS feature. I thought that it’s going to be available per VDOM/WAN interface. 🙂
    Cheers,
    Tony

    Reply
  4. Sam

    Hi,
    I decided to test the Vdom capability, so I enabled this option on the box, after doing that I have a root Vdom and the global one, then I decided to add a new Vdom for guests, the type is NAT and I assigned two physical interfaces for this Vdom, I configured one with a DHCP server. now I wanted to share the WAN1 interface with this Vdom to access internet and I did a Vdom link connection to the WAN0, WAN1 ports, now I created a policy from the internal to the WAN0 with all all settings and NAT enabled.
    I ended up with no internet on this Vdom nor I can ping the vdom internal interface IP
    What have I done wrong?

    Thank you

    Reply
  5. Sam

    Forgot to mention That I connected a PC directly to the Guest Vdom interface and the PC got the IP from the DHCP with no problems, but this PC can not ping the Vdom port IP nor can access the internet.
    Note: I did not add any static routes and kept the default

    Thanks

    Reply
    1. Mike Post author

      The VDOM internal interface that you are using DHCP on needs PING enabled. You also need inter-VDOM links and appropriate policy between the guest VDOM and the main that will allow the traffic to traverse.

      Reply
  6. Sam

    Ping is already enabled!
    Do I have to set addresses in the address book to use for the polices for both networks or I can use all all in the policy settings? (I’m used all all)

    Reply

Leave a Reply to Mike Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.