Vdom Configuration Settings - Fortinet FortiGate Series Administration Manual

Virtual domains

VDOM configuration settings

160
Continued security maintenance
When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create
firewall policies for connections between VLAN subinterfaces or zones in the VDOM.
Packets do not cross the virtual domain border internally. To travel between VDOMs, a
packet must pass through a firewall on a physical interface. The packet then arrives at
another VDOM on a different interface, but it must pass through another firewall before
entering the VDOM. Both VDOMs are on the same FortiGate unit. Inter-VDOMs change
this behavior in that they are internal interfaces; however their packets go through all the
same security measures as on physical interfaces.
Without VDOMs, administrators can easily access settings across the FortiGate unit. This
can lead to security issues or far-reaching configuration errors. However, administrator
permissions are specific to one VDOM. An admin on one VDOM cannot change
information on another VDOM. Any configuration changes, and potential errors, will apply
only to that VDOM and limit potential down time.
The remainder of the FortiGate unit's functionality is global—it applies to all VDOMs on
the unit. This means there is one intrusion prevention configuration, one antivirus
configuration, one web filter configuration, one protection profile configuration, and so on.
VDOMs also share firmware versions, as well as antivirus and attack databases. The
operating mode, NAT/Route or Transparent, can be selected independently for each
VDOM. For a complete list of shared configuration settings, see
settings" on page 163.
Savings in physical space and power
Increasing VDOMs involves no extra hardware, no shipping, and very few changes to
existing networking. They take no extra physical space—you are limited only by the size of
the license you buy for your VDOMs.
By default, most FortiGate units supports a maximum of 10 VDOMs in any combination of
NAT/Route and Transparent modes. For high-end FortiGate models, you can purchase a
license key to increase the maximum number of VDOMs to 25, 50, 100 or 250. For more
information see "VDOM licenses" on page
Note: During configuration on a FortiAnalyzer unit, VDOMs count toward the maximum
number of FortiGate units allowed by the FortiAnalyzer unit's license. The total number of
devices registered can be seen on the FortiAnalyzer unit's System Status page under
License Information.
If virtual domain configuration is enabled and you log in as the default super_admin, you
can go to System > Status and look at Virtual Domain in the License Information section to
see the maximum number of virtual domains supported on your FortiGate unit.
For more information on VDOMs, see the
To configure and use VDOMs, you must enable virtual domain configuration. For more
information, see "Enabling VDOMs" on page
You can configure a VDOM by adding VLAN subinterfaces, zones, firewall policies,
routing settings, and VPN settings. You can also move physical interfaces from the root
VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. For
more information on VLANs, see the
165.
FortiGate VLANs and VDOMs
164.
FortiGate VLAN and VDOMS
FortiGate Version 4.0 MR1 Administration Guide
http://docs.fortinet.com/
Using virtual domains
"Global configuration
Guide.
Guide.
01-410-89802-20090903
• Feedback