VDOM configuration

来源 https://cookbook.fortinet.com/vdom-configuration/

Posted on January 6, 2015 by Fortinet Technical Documentation

This example illustrates how to use VDOMs to host two FortiOS instances on a single FortiGate unit.

Virtual Domains (VDOMs) can be used to divide a single FortiGate unit into two or more virtual instances of FortiOS that function as independent FortiGate units. This example simulates an ISP that provides Company A and Company B with distinct Internet services. Each company has its own VDOM, IP address, and internal network.

Watch the video

Find this recipe for other FortiOS versions:
5.2 | 5.4 | 6.0

1. Switching to VDOM mode and creating two VDOMs
Go to System > Dashboard > Status. In the System Information widget, find Virtual Domain and select Enable. You will be required to re-login after enabling Virtual Domain due to the GUI menu options changing. Certain FortiGate models will not show the Virtual Domain option in the System Information widget. In order to enable Virtual Domains for these models, the following CLIcommand is required: config system global set vdom-admin enable end Enter y when you are asked if you want to continue. You will be required to re-login after enabling Virtual Domain due to the GUI menu options changing.
Go to Global > VDOM > VDOM. Create two VDOMS: VDOM-A and VDOM-B. Leave both VDOMs as Enabled, with Operation Mode set to NAT. Note: In version 5.2.3, no choice to enable the VDOMS will be available, as they will be automatically enabled.
2. Assigning interfaces to each VDOM
Go to Global > Network > Interfaces. Edit internal1 and add it to VDOM-A. Set Addressing Mode to Manualand assign an IP/Network Mask to the interface (in the example, 192.168.91.1/255.255.255.0).
Edit internal2 and add it to VDOM-A. Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.92.1/255.255.255.0), and set Administrative Access to HTTPS, PING, and SSH. Enable DHCP Server.
Edit internal3 and add it to VDOM-B. Set Addressing Mode to Manualand assign an IP/Network Mask to the interface (in the example, 192.168.93.1/255.255.255.0).
Edit internal4 and add it to VDOM-B. Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.94.1/255.255.255.0), and set Administrative Access to HTTPS, PING, and SSH. Enable DHCP Server.
3. Creating administrators for each VDOM
Go to Global > Admin > Administrators. Create an administrator for VDOM-A, called a-admin. Set Type to Regular, enter and confirm a password, set Administrator Profile to prof_admin, and set Virtual Domain to VDOM-A. Make sure to remove the root VDOM from the Virtual Domainlist.
Create an administrator for VDOM-B, called b-admin. Set Type to Regular, enter and confirm a password, set Administrator Profile to prof_admin, and set Virtual Domain to VDOM-B. Make sure to remove the root VDOM from the Virtual Domainlist.
4. Creating a basic configuration for VDOM-A
Go to Virtual Domains > VDOM-A > System > Network > Routing, to access Static Routes options. (Note: In FortiOS 5.2.4 and up the path is Virtual Domains > VDOM-A > Router > Static > Static Routes.) Click Create New to create a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0, set Device to internal1, and set Gateway to the IP of the gateway router.
Connect a PC to port 2. Using HTTPS protocol, browse to the IP set for internal2 and log into VDOM-A using the a-admin account (in the example, https://192.168.92.1). Go to Policy & Objects > Policy > IPv4. Create a policy to allow Internet access. Set Incoming Interface to internal2 and Outgoing Interfaceto internal1. Ensure NAT is turned ON. Set Source Address to all, Destination Address to all, and Service to ALL.
5. Creating a basic configuration for VDOM-B
Go to Virtual Domains > VDOM-B > System > Network > Routing, to access Static Routes options.(Note: In FortiOS 5.2.4 and up the path is Virtual Domains > VDOM-B > Router > Static > Static Routes.) Click Create New to create a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0, set Device to internal3, and set Gateway to the IP of the gateway router.
Connect a PC to port 4. Using HTTPS protocol, browse to the IP set for internal4 and log into VDOM-B using the b-admin account (in the example, https://192.168.94.1). Go to Policy & Objects > Policy > IPv4. Create a policy to allow Internet access. Set Incoming Interface to internal4 and Outgoing Interfaceto internal3. Ensure NAT is turned ON. Set Source Address to all, Destination Address to all, and Service to ALL.
6. Connecting the gateway router
Connect port 1 and port 3 of the FortiGate unit to the gateway router to allow Internet traffic to flow.
7. Results
Connect to the Internet from the Company A and Company B networks and then log into the FortiGate unit. Go to Virtual Domains and select VDOM-A. Go to Policy & Objects > Monitor > Policy Monitor to view the sessions being processed on VDOM-A.
Go to Virtual Domains and select VDOM-B. Go to Policy & Objects > Monitor > Policy Monitor to view the sessions being processed on VDOM-B.

[download-attachments]