Fortigate VDOMs

Fortigate VDOMs

 

What are Fortigate VDOMs(Virtual Domains)?

Well Fortigate VDOMs are like ASAs contexts, you are able to separate the firewall so it looks like you have 2, with different management and user groups. With ASA you lose some features when you enabled contexts, but in the Fortinets’ Firewall you do not lose any features.(Isn’t that just great?!)

VDOMs features:

1. Have separate routing and firewall services

2. Each physical interface belongs to only one Virtual Domains

3. By Default for the VDOMs to communicate you need an external source(Internet) to allow the communications

4. By Default 10 VDOMs are supported (in NAT or Transparent Modes)

5. The Configuration file of the Fortigate, holds all VDOM configuration. EX: AntiVirus, IPS and System Time

 

I. VDOM Configuration Features:

There are 2 features that you can configure for the VDOMs and those are applied globally:

1. Guaranteed – defined the minimum level of resources that will be available to the VDOM

2. Maximum – overrides the global limit to reduce the amount of each resource available for this VDOM. This must be the same or lower than the global limit!

 

II. Management VDOM/ROOT

All management traffic goes through this VDOM. Examples:

1. DNS lookup

2. Logging

3. Fortiguard services

4. Alerts/Traps

5. NTP

6. Quarantine of suspicious files

 

III. VDOM Types

There are 3 types of VDOMs:

1. Independent VDOM 

This uses multiple VDOMs that are completely separated from each others.

[singlepic id=10 w=320 h=240 float=]

2. Management VDOM

The ROOT VDOM is the managemental VDOM and the other VDOMs are connected to the management VDOM with the VDOM links. With this implementation you do not need a user for each VDOM, you manage them from the Management VDOM.

[singlepic id=11 w=320 h=240 float=]

3. Meshed VDOM

This feature uses interconnectivity between VDOMs. This setup can get complex very quickly. The security needs to be increased.

[singlepic id=12 w=320 h=240 float=]

IV. SSL with VDOMs

 

SSL.VDOM are automaticly configured for each VDOM.

 

Picture source: fortinet.com

 

 

4 Responses to “ “Fortigate VDOMs”

  1. anjanesh babu says:

    Good insight esp. comparison to Cisco. Fortigate tends to outstrip ASA by way of performance and ease of use.
    BTW , the inter VDOM links are only possible between NAT routed vdoms.

  2. Pandu Poluan says:

    Nice summary of what VDOMs are! Thanks for writing this article.

    My current employer have a Fortigate 800C for IPS, and when I opened its webadmin, the presence of VDOMs threw me in a loop there. Yeah, Fortinet’s documentation do explain about VDOMs, but the explanations are so complex and convoluted I had a hard time trying to understand what it’s supposed to mean.

    Well done!

  3. Kathiravan says:

    Great , I have understood exactly .

Leave a Reply

Your email address will not be published. Required fields are marked *