VDOM configuration

This example illustrates how to use virtual domains (VDOMs) to host multiple FortiOS instances on a single FortiGate.

In this example, two companies (called Company A and Company B) use the same FortiGate but have different Internet service providers (ISPs). To provide both departments with network and Internet connectivity, each company has its own VDOM (called VDOM-A and VDOM-B) that are managed independently.

The root VDOM will be used to manage the FortiGate’s global settings.

1. Switching to VDOM mode and creating two VDOMs

Connect a PC to FortiGate using an Ethernet cable, as described in your model’s QuickStart Guide.

Log in using the admin account (the default admin account has the username admin and no password).

 

Go to the Dashboard and locate the System Information widget. Find Virtual Domain and select Enable.

You will be required to re-login after enabling virtual domains because the GUI menu options change.

 

Certain FortiGate models will not show the above option in the System Information widget. For these models, go to the Dashboard and enter the following command in the CLI Console:

config system global
 set vdom-admin enable
end

Enter y when you are asked if you want to continue.

You will be required to re-login to the GUI after enabling virtual domains because the GUI menu options change.

Make sure that Global is selected from dropdown menu located in the top-left corner. This allows you to make changes to the global configuration.

 

Go to System > VDOM and create two VDOMs: VDOM-A and VDOM-B.

In this example, the Inspection Mode is set to Proxy for VDOM-A. This will allow this VDOM to use both proxy and flow-based security scanning.

The Inspection Mode for VDOM-B is set to Flow-based, so only flow-based security scanning is available.  

2. Configuring the root VDOM for FortiGate management

Go to Network > Interfaces. By default, all interfaces are in the root VDOM.

Edit the interface you wish to use to manage the FortiGate (in the example, mgmt). If you wish to use this interface exclusively for FortiGate management, you can enable Dedicated Management Port.

Set Administrative Access to HTTPS, PING, and SSH.

Go to System > Administrators and edit the admin account.

Select Change Password to add a password to this account.

Enable Restrict login to trusted hosts and add the IP/Netmask of the admin PC. This ensures that the admin must login using the admin PC to be able to manage the FortiGate.


 

3. Adding interfaces to VDOM-A

In this example, two interfaces will be added to VDOM-A: one for Internet access and one for use by the local network.

If an interface is used in an existing FortiGate configuration, its VDOM assignment cannot be changed. Because some FortiGate models have a default configuration, you may need to delete existing policies and routes in order to add a particular interface.

Go to Network > Interfaces and edit the interface that VDOM-A will use for Internet access (in the example, wan1). 

Set Virtual Domain to VDOM-A and Role to WAN.

If your FortiGate is directly connecting to your ISP, set Addressing Mode to Manual and set the IP/Netmask to the public IP address your ISP has provided you with (in the example, 172.20.121.46/255.255.255.0).

 

If you have some ISP equipment between your FortiGate and the Internet (for example, a router), then the wan1 IP will also use a private IP assigned by the ISP equipment. If this equipment uses DHCP, set Addressing Mode to DHCP to get an IP assigned to the interface. 

If the ISP equipment does not use DHCP, your ISP can provide you with the correct private IP to use for the interface.

Go to Network > Interfaces and edit the interface that will be connected to VDOM-A’s internal network (in the example, port1).

Set Virtual Domain to VDOM-A and Role to LAN.

Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.100.1/255.255.255.0), set Administrative Access to HTTPS, PING, and SSH.

 

4. Adding interfaces to VDOM-B

In this example, multiple interfaces will be added to VDOM-B: one for Internet access and four additional interfaces for use by the internal network. These four interfaces will be combined into a hardware switch interface called LAN-B, which the FortiGate treats as a single interface. This example also adds a DHCP server to LAN-B to provide IP addresses for the VDOM-B’s internal network.

Go to Network > Interfaces and edit the interface that VDOM-B will use for Internet access (in the example, wan2).

Set Virtual Domain to VDOM-B and Role to WAN. Set an appropriate Addressing Mode and IP/Netmask (in the example, 172.20.120.100/255.255.255.0).

 

Go to Network > Interfaces and edit a physical interface that will be used by VDOM-B’s internal network (in the example, port5).

Set Virtual Domain to VDOM-B and Role to LAN.

Repeat this process for any other physical interfaces that will be used by VDOM-B (in the example, port6, port7, and port8).

 

Go to Network > Interfaces and create a new interface to be used by VDOM-B’s internal network, called LAN-B.

Set Type to Hardware Switch and Virtual Domain to VDOM-B. Add VDOM-B’s physical interfaces as Physical Interface Members. Set Role to LAN.

Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.200.1/255.255.255.0), set Administrative Access to HTTPS, PING, and SSH and enable DHCP Server.

 

5. Adding administrators to each VDOM

Go to System > Administrators. Create an administrator for VDOM-A, called admin-a.

This administrator will be able to access and configure VDOM-A, without accessing either the root VDOM or VDOM-B. The account will also not be able to affect global settings.

Enter and confirm a Password. Set Type to Local User and Administrator Profile to prof_admin. Remove the root VDOM from the Virtual Domains list, then add VDOM-A.

 

Create an administrator that can access VDOM-B, called admin-b.

Enter and confirm a Password. Set Type to Local User and Administrator Profile to prof_admin. Remove the root VDOM from the Virtual Domains list, then add VDOM-B.

 

6. Configuring VDOM-A

Access VDOM-A‘s configuration using the dropdown menu and go to Network > Static Routes to add a default route.

Set Destination to SubnetDestination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface, and the Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements.

 

Go to Policy & Objects > IPv4 Policies and create a new policy to allow Internet access for VDOM-A. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet-VDOM-A).

Set Incoming Interface to port1, Outgoing Interface to wan1, Source to all, Destination Address to all, and Service to ALL. Make sure NAT is enabled.

Because this VDOM uses proxy inspection, you can enable a variety of security profiles that use either proxy or flow-based inspection.

For testing purposes, under Logging Options, enable Log Allowed Traffic and select All Sessions.

 

7. Configuring VDOM-B

Access VDOM-B‘s configuration using the dropdown menu and go to Network > Static Routes to add default route.

Set Destination to SubnetDestination IP/Mask to 0.0.0.0/0.0.0.0, the Device to the Internet-facing interface, and the Gateway to the gateway (or default route) provided by your ISP or to the next hop router, depending on your network requirements.

 

Go to Policy & Objects > IPv4 Policies and create a new policy to allow Internet access for VDOM-B. Give the policy a Name that indicates that the policy will be for traffic to the Internet (in the example, Internet-VDOM-B).

Set Incoming Interface to LAN-B, Outgoing Interface to wan2, Source to all, Destination Address to all, and Service to ALL. Make sure NAT is enabled.

Because this VDOM uses flow-based inspection, you can only enable security profiles that use flow-based inspection.

For testing purposes, under Logging Options, enable Log Allowed Traffic and select All Sessions.

 

8. Results

Using a PC located on VDOM-A’s internal network, browse to the IP of the LAN-A interface (in the example, https://192.168.100.1).

Login to the VDOM using admin-a‘s credentials. When the GUI loads, only the options for configuration VDOM-A appear.

 

Generate Internet traffic for VDOM-A.

Go to FortiView > Policies and select the now view. You can see traffic flowing through the Internet-VDOM-A policy.

 

Right-click on the policy, then select Drill Down to Details. You can see more information about the traffic.


 

Logout of the VDOM, then attempt to login using the global admin‘s credentials. You will not be able to log in. You can also not log in using admin-b‘s credentials.

 

Using a PC located on VDOM-B’s internet network, browse to the IP of the LAN-B interface (in the example, https://192.168.200.1).

Login to the VDOM using admin-b‘s credentials. When the GUI loads, only the options for configuration VDOM-B appear.

 

Generate Internet traffic for VDOM-B.

Go to FortiView > Policies and select the now view. You can see traffic flowing through the Internet-VDOM-B policy.

 

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

Share this recipe:

Facebooktwittergoogle_pluslinkedin
In the example, the interface’s Link Status is Down because nothing is currently connected to the interface.
This destination type allows you to input a numeric IP address or subnet.

Leave a comment:

Before commenting, please read the site's comment policy. Only questions related to documentation will be answered. For other concerns, please contact Fortinet support.

  • Santosh Sharma

    there is no document on inter vdom routing. like if i have to coumminicated these 2 vdoms with each other

    • Bruce Davis

      The documentation for Inter VDOM routing is in the Virtual Domains Handbook/Chapter. The online version can be found at http://help.fortinet.com/fos50hlp/52data/index.htm#FortiOS/fortigate-virtual-domains-52/inter-VDOM.htm. This is for the 5.2 version but the basic premise is the same in 5.4. The quick version is that you go to Global > Network > Interfaces and use the drop down for Create New. Choose VDOM Link from the drop down. The links are between interfaces and not VDOMs as a group so from that point, filling out the rest of the configuration is pretty straight forward.

      • Santosh Sharma

        the document is so messy that i already have . but i want document neat like your cookbook. in cookbook you have explained in a way that a child can understand. by giving diagram step by step. but this book is having 41 pages. only explain in scenerio. like create vdom a and vdom b. then assign ports. then make inter-vlan links.

        • Victoria Martin

          I will add inter VDOM routing to the list of potential future Cookbook recipes. If there are any other topics you would like to see a recipe about, you can suggest them by filling out this form: http://fortinetdoc.polldaddy.com/s/cookbook-recipe-suggestions

          • Santosh Sharma

            1 month has completed and still i m waiting for the requested document.
            Why u people take these much time.

            I don’t want now . I have made myself

          • Victoria Martin

            Hello Santosh,

            I’m glad you were able to get your inter-VDOM routing set-up. If possible, could you send your document to us, so we can test it and use it to create a recipe? You can email techdoc@fortinet.com.

            Thanks!

      • Santosh Sharma

        If possible please make one video on inter vdom routing