Chapter 8. VDOM

8.1 VDOM

Learning Objectives

  • Create a VDOM
  • Configure a security policy in VDOMs

Scenario: This example illustrates how to use VDOMs to host two FortiOS instances on a single FortiGate unit.

Virtual Domains (VDOMs) can be used to divide a single FortiGate unit into two or more virtual instances of FortiOS that function as independent FortiGate units. This example simulates an ISP that provides Company A and Company B with distinct internet services. Each company has its own VDOM, IP address, and internal network.

VDOM main scenario
Figure 8.1: Main scenario

Enable VDOMs

Table 8.1: Devices configuration
Device IP address Access
WebTerm-VDOMA DHCP Client HTTPS
WebTerm-VDOMB DHCP Client HTTPS
FortiGate Port 2: DCHP Client – VDOM B

Port 3: DHCP Client – VDOM A

Port 4: DHCP SERVER – VDOM A

Port 5: DHCP SERVER – VDOM B

Port 2 – Management Access
Ethernet Switch
NAT
  1. In order to enable Virtual Domains, the following CLI command is required:
    config system global
    set vdom-mode multi-vdom
    end
  2. Log out FortiGate and log in again. You should be able to see the Figure 8.2 result.
    Default VDOMs
    Figure 8.2: Default VDOMs
  3. Go to Global > System > VDOM. Create two VDOMS, VDOM-A and VDOM-B. Leave both VDOMs as Enabled, with Operation Mode set to NAT and NGFW mode to profile-based.
    VDOM-A configuration
    Figure 8.3: VDOM-A configuration
    VDOM-B configuration
    Figure 8.4: VDOM-B configuration
  4. Go to Global > Network > Interfaces. Edit Port2 and add it to VDOM-B. Set Addressing Mode to DHCP.
    Port 2 Configuration
    Figure 8.5: Port2 configuration
    If the port is under root and you can’t modify it to VDOM-B, you should first delete the references related to the port.
  5. Go to Global > Network > Interfaces. Edit Port4 and add it to VDOM-A. Set Addressing Mode to Manual and assign an IP/Network mask to the interface (192.168.91.1/255.255.255.0) and finally Enable DHCP Server.
    Port4 Configuration
    Figure 8.6: Port4 configuration
  6. Go to Global > Network > Interfaces. Edit Port3 and add it to VDOM-A and set Addressing Mode to DHCP.
    Port3 Configuration
    Figure 8.7: Port3 configuration
  7. Go to Global > Network > Interfaces. Edit Port5 and add it to VDOM-B. Set Addressing Mode to Manual and assign an IP/Network Mask to the interface (192.168.92.1/255.255.255.0) and set Administrative Access to HTTPS, PING, and SSH. Enable DHCP Server.
    Port5 Configuration
    Figure 8.8: Port5 configuration

Creating Administrators for Each VDOM

  1. Go to Global > System > Administrators. Create an administrator for VDOM-A, called vdom-a. Set Type to Local User, enter and confirm a password, set Administrator Profile to prof_admin, and set Virtual Domain to VDOM-A. Make sure to remove the root VDOM from the Virtual Domain list.
    Administrators for VDOM-A
    Figure 8.9: Administrators for VDOM-A
  2. Go to Global > System > Administrators. Create an administrator for VDOM-B, called vdom-b. Set Type to Local User, enter and confirm a password, set Administrator Profile to prof_admin, and set Virtual Domain to VDOM-B. Make sure to remove the root VDOM from the Virtual Domain list.
    Administrators for VDOM-B
    Figure 8.10: Administrators for VDOM-B

Security Policy Setting for VDOM-A

  1. Virtual Domains > VDOM-A > Network > Static Routes. Click Create New to create a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0, set Device to port3, and set Gateway to the IP of the gateway router.
    Static route in VDOM-A
    Figure 8.11: Static route in VDOM-A
  2. Go to Policy & Objects > Firewall Policy. Create a policy to allow internet access. Set Incoming Interface to port4 and Outgoing Interface to port2. Ensure NAT is turned ON. Set Source Address to all, Destination Address to all, and Service to ALL.
    Firewall Policy in VDOM-A
    Figure 8.12: Firewall Policy in VDOM-A
  3. Now, you should be able to reach the internet from WebTerm VDOM-A.
    Verify configuration in VDOM-A
    Figure 8.13: Verify configuration in VDOM-A

Security Policy Setting for VDOM-B

  1. Virtual Domains > VDOM-B > Network > Static Routes. Click Create New to create a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0, set Device to port2, and set Gateway to the IP of the gateway router.
    Static route in VDOM-B
    Figure 8.14: Static route in VDOM-B
  2. Go to Policy & Objects > Policy > IPv4. Create a policy to allow internet access. Set Incoming Interface to port5 and Outgoing Interface to port2. Ensure NAT is turned ON. Set Source Address to all, Destination Address to all, and Service to ALL.
    Firewall Policy in VDOM-B
    Figure 8.15: Firewall Policy in VDOM-B
  3. Create a Traffic shaping under Policy & Objects as follows:
    Create a Traffic Shaper in VDOM-B
    Figure 8.16: Create a traffic shaper in VDOM-B
  4. Create a Traffic Shaping Policy with the following configuration:
    • Name: VDOMB
    • Source: All
    • Destination: All
    • Service: All
    • Outgoing Interface: Port2
    • Shared Shaper: VDOMB
    • Reverse Shaper: VDOMB
    Traffic Shaping Policy in VDOM-B
    Figure 8.17: Traffic Shaping Policy in VDOM-B
  5. Now open the browser in WebTerm VDOM-B and go to Fast.com and verify your configuration.
    Verify configuration in VDOM-B
    Figure 8.18: Verify configuration in VDOM-B

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall Copyright © 2023 by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book