Chapter 8. VDOM
8.1 VDOM
Learning Objectives
- Create a VDOM
- Configure a security policy in VDOMs
Scenario: This example illustrates how to use VDOMs to host two FortiOS instances on a single FortiGate unit.
Virtual Domains (VDOMs) can be used to divide a single FortiGate unit into two or more virtual instances of FortiOS that function as independent FortiGate units. This example simulates an ISP that provides Company A and Company B with distinct internet services. Each company has its own VDOM, IP address, and internal network.
Enable VDOMs
Device | IP address | Access |
---|---|---|
WebTerm-VDOMA | DHCP Client | HTTPS |
WebTerm-VDOMB | DHCP Client | HTTPS |
FortiGate | Port 2: DCHP Client – VDOM B
Port 3: DHCP Client – VDOM A Port 4: DHCP SERVER – VDOM A Port 5: DHCP SERVER – VDOM B |
Port 2 – Management Access |
Ethernet Switch | – | – |
NAT | – | – |
- In order to enable Virtual Domains, the following CLI command is required:
config system global
set vdom-mode multi-vdom
end - Log out FortiGate and log in again. You should be able to see the Figure 8.2 result.
- Go to Global > System > VDOM. Create two VDOMS, VDOM-A and VDOM-B. Leave both VDOMs as Enabled, with Operation Mode set to NAT and NGFW mode to profile-based.
- Go to Global > Network > Interfaces. Edit Port2 and add it to VDOM-B. Set Addressing Mode to DHCP.
If the port is under root and you can’t modify it to VDOM-B, you should first delete the references related to the port. - Go to Global > Network > Interfaces. Edit Port4 and add it to VDOM-A. Set Addressing Mode to Manual and assign an IP/Network mask to the interface (192.168.91.1/255.255.255.0) and finally Enable DHCP Server.
- Go to Global > Network > Interfaces. Edit Port3 and add it to VDOM-A and set Addressing Mode to DHCP.
- Go to Global > Network > Interfaces. Edit Port5 and add it to VDOM-B. Set Addressing Mode to Manual and assign an IP/Network Mask to the interface (192.168.92.1/255.255.255.0) and set Administrative Access to HTTPS, PING, and SSH. Enable DHCP Server.
Creating Administrators for Each VDOM
- Go to Global > System > Administrators. Create an administrator for VDOM-A, called vdom-a. Set Type to Local User, enter and confirm a password, set Administrator Profile to prof_admin, and set Virtual Domain to VDOM-A. Make sure to remove the root VDOM from the Virtual Domain list.
- Go to Global > System > Administrators. Create an administrator for VDOM-B, called vdom-b. Set Type to Local User, enter and confirm a password, set Administrator Profile to prof_admin, and set Virtual Domain to VDOM-B. Make sure to remove the root VDOM from the Virtual Domain list.
Security Policy Setting for VDOM-A
- Virtual Domains > VDOM-A > Network > Static Routes. Click Create New to create a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0, set Device to port3, and set Gateway to the IP of the gateway router.
- Go to Policy & Objects > Firewall Policy. Create a policy to allow internet access. Set Incoming Interface to port4 and Outgoing Interface to port2. Ensure NAT is turned ON. Set Source Address to all, Destination Address to all, and Service to ALL.
- Now, you should be able to reach the internet from WebTerm VDOM-A.
Security Policy Setting for VDOM-B
- Virtual Domains > VDOM-B > Network > Static Routes. Click Create New to create a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0, set Device to port2, and set Gateway to the IP of the gateway router.
- Go to Policy & Objects > Policy > IPv4. Create a policy to allow internet access. Set Incoming Interface to port5 and Outgoing Interface to port2. Ensure NAT is turned ON. Set Source Address to all, Destination Address to all, and Service to ALL.
- Create a Traffic shaping under Policy & Objects as follows:
- Create a Traffic Shaping Policy with the following configuration:
- Name: VDOMB
- Source: All
- Destination: All
- Service: All
- Outgoing Interface: Port2
- Shared Shaper: VDOMB
- Reverse Shaper: VDOMB
- Now open the browser in WebTerm VDOM-B and go to Fast.com and verify your configuration.