Appendix A: Virtual domains
This appendix describes CLI commands when you use the virtual domains feature. It includes the following topics:
- Overview
- Enabling the Virtual Domain feature and selecting the Virtual Domain Mode
- Creating virtual domains
- Editing a virtual domain
- Assigning interfaces to a virtual domain
- Assigning administrators to a virtual domain
- Disabling virtual domains
- Viewing virtual domains
Overview
A Virtual Domain (VDOM) is a complete FortiADC instance that runs on the FortiADC platform. VDOM configuration objects contain all of the system and feature configuration options of a full FortiADC instance and can be used to divide a FortiADC into two or more virtual units that function independently, allowing it to support multi-tennant deployments.
The VDOM feature supports two Virtual Domain Modes that allow the VDOMs to function independently with its own networking or as administrative domains (ADOMs) with shared networking between all ADOMs. When the VDOM is in the Independent Network mode, you can provision an administrator account with privileges to access and manage only their assigned VDOM. The VDOM user can then configure their VDOM as desired untethered to other VDOMs. Alternatively, when the VDOM is in Share Network mode, it functions as an ADOM that shares the same networking interfaces and routing between all the ADOMs. The ADOM functionality enables the administrator to constrain access privileges to a subset of server load-balancing servers by defaulting all interface settings to the root ADOM.
The Virtual Domains feature is not enabled by default and requires an administrator with "super admin" or "global admin" access to enable. The admin account holder (also known as the "super admin") can enable and configure all VDOMs and provision accounts with "global admin" access that grants administrators permissions to enable and configure VDOMs as well. The super admin and global admin have unrestricted access to all virtual domains that have been created on the system and can provision administrator accounts to access their assigned domains.
After the Virtual Domain feature is enabled, virtual domain administrators can enter their assigned VDOM/ADOM and see a subset of the typical menus or CLI commands appear, allowing access to only the feature configurations, logs and reports specific to their VDOM/ADOM. Unlike super admin and global admin users, VDOM/ADOM administrators do not have access to global settings.
Differences between super admin/global admin, and VDOM/ADOM administrators when virtual domains are enabled:
| Super admin or global admin user | VDOM/ADOM administrators | |
|---|---|---|
|
Access to global settings ( |
Yes |
No |
|
Can create administrator accounts |
Yes — administrator accounts can be assigned to access other virtual domains on the system. |
Yes — administrator accounts can only be assigned access to the VDOM/ADOM administrator's own virtual domain. |
|
Can create and access all VDOMs/ADOMs |
Yes |
No |
GUI and CLI functional availability for administrators of VDOM, root ADOM, and non-root ADOM
For administrators provisioned to access only their assigned virtual domains, the GUI and CLI functions available to them depend on their Virtual Domain Mode and whether their virtual domain is root or non-root. VDOMs configured in the Independent Network mode function independently within its own network, allowing the VDOM administrator to have full unrestricted access to all configurations within their own VDOM. Administrators of VDOMs in the Independent Network mode have full unrestricted access to all configurations within their own VDOM; as these VDOMs function independently within their own network, modifications can be made without affecting other VDOMs on the system. In contrast, administrators of ADOMs (VDOMs in Share Network mode) do not have full access to all configurations due to all ADOMs sharing the same network interfaces and routing as the root ADOM. As a result, administrators of non-root ADOMs have restricted access, partial access, or completely no access to GUI and CLI functions relating to networking.
The following table lists the difference in CLI function availability between root and non-root ADOM administrators.
|
Configuration |
Root ADOM |
Non-root ADOM |
|
|---|---|---|---|
|
config system |
interface |
set vdom is not available since interface settings are automatically defaulted to the root ADOM. |
Read-only access for interface settings. Data pulled from root ADOM. |
|
config link-load-balance |
flow-policy |
Read-write access. | Read-only access. Data pulled from root ADOM. |
|
gateway |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
link-group |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
persistence |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
proximity-route |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
virtual-tunnel |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
config router |
access-list |
Read-write access. | Read-only access. Data pulled from root ADOM. |
|
access-list6 |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
bgp |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
isp |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
md5-ospf |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
ospf |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
policy |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
prefix-list |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
prefix-list6 |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
setting |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
static |
Read-write access. | Read-only access. Data pulled from root ADOM. | |
|
config firewall |
connlimit |
Read-write access. | Not available. |
|
|
connlimit6 |
Read-write access. | Not available. |
|
|
nat-snat |
Read-write access. | Not available. |
|
|
policy |
Read-write access. | Not available. |
|
|
policy6 |
Read-write access. | Not available. |
|
|
qos-filter |
Read-write access. | Not available. |
|
|
qos-filter6 |
Read-write access. | Not available. |
|
|
qos-queue |
Read-write access. | Not available. |
|
|
vip |
Read-write access. | Not available. |
|
config security dos |
dos-protection-profile |
Read-write access. | Read-write access. |
|
|
http-access-limit |
Read-write access. | Read-write access. |
|
|
http-connection-flood-protection |
Read-write access. | Read-write access. |
|
|
http-request-flood-protection |
Read-write access. | Read-write access. |
|
|
ip-fragmentation-protection |
Read-write access. | Not available. |
|
|
tcp-access-flood-protection |
Read-write access. | Read-write access. |
|
|
tcp-slowdata-attack-protection |
Read-write access. | Read-write access. |
|
|
tcp-synflood-protection |
Read-write access. | Not available. |
|
config global-dns-server |
address-group |
Read-write access. | Not available. |
|
|
dns64 |
Read-write access. | Not available. |
|
|
dsset-info-list |
Read-write access. | Not available. |
|
|
general |
Read-write access. | Not available. |
|
|
policy |
Read-write access. | Not available. |
|
|
remote-dns-server |
Read-write access. | Not available. |
|
|
response-rate-limit |
Read-write access. | Not available. |
|
|
trust-anchor-key |
Read-write access. | Not available. |
|
|
zone |
Read-write access. | Not available. |
|
config global-load-balance |
analytic |
Read-write access. | Not available. |
|
|
data-center |
Read-write access. | Not available. |
|
|
host |
Read-write access. | Not available. |
|
|
link |
Read-write access. | Not available. |
|
|
servers |
Read-write access. | Not available. |
|
|
setting |
Read-write access. | Not available. |
|
|
topology |
Read-write access. | Not available. |
|
|
virtual-server-pool |
Read-write access. | Not available. |
Enabling the Virtual Domain feature and selecting the Virtual Domain Mode
Before you begin:
- Save a backup of the configuration. Enabling VDOMs changes the structure of your configuration, so you want to be able to easily revert to the system state before VDOMs were enabled.
To enable the Virtual Domain and select the Virtual Domain Mode:
- Log in with as the
adminadministrator or global administrator. - Use the following command:
- independent-network — each VDOM functions independently within its own network, unaffected by activity from other VDOMs on the system.
- share-network — VDOMs function as administrative domains (ADOMs), sharing the same network interface and routing between all ADOMs.
- Log in again.
Other administrators do not have permissions to configure VDOMs.
config system global
set vdom-admin {enable|disable}
set vdom-mode {independent-network|share-network}
end
|
vdom-admin |
Enable the Virtual Domain feature. |
|
vdom-mode |
Select either of the following virtual domain modes: |
FortiADC terminates your administrative session.
When VDOMs are enabled, and if you log in as admin or global admin, the top level of the shell changes: the two top level items are config global and config vdom.
config globalcontains settings that onlyadminor other accounts with the prof_admin access profile can change.config vdomcontains each VDOM and its respective settings.
This menu and CLI structure change is not visible to non-global accounts; VDOM administrators’ navigation menus continue to appear similarly to when VDOMs are disabled, except that global settings such as network interfaces, HA, and other global settings do not appear.
Creating virtual domains
Some settings can only be configured by the admin administrator or global administrator — they are global. Global settings apply to the appliance overall regardless of VDOM, such as:
- network interfaces
- system time
- backups
- administrator accounts
- access profiles
- FortiGuard connectivity settings
- HA and configuration sync
- SNMP
- X.509 certificates
- TCP
SYNflood anti-DoS setting exec pingand other global operations that exist only in the CLI
Only the admin administrator or global administrator can configure global settings.
Other settings can be configured separately for each VDOM. They essentially define each VDOM. For example, the policies of VDOM-A are separate from VDOM-B.
Initially, only the root VDOM exists, and it contains settings such as policies that were global before VDOMs were enabled. Typically, you will create additional VDOMs, and few if any administrators will be assigned to the root VDOM. After VDOMs are created, the admin account or global admin usually assigns other administrator accounts to configure their VDOM-specific settings. However, as the root account, the admin administrator does have permission to configure all settings, including those within VDOMs.
To create a VDOM:
- Log in with the
adminaccount. - Enter the following commands:
Other administrators do not have permissions to configure VDOMs.
config vdom
edit <VDOM_name>
where <VDOM_name> is the name of your new VDOM. (Alternatively, to configure the default root VDOM, type root.
The new VDOM exists, but its settings are not yet configured.
Editing a virtual domain
For virtual domains in Independent Network mode, FortiADC allows you to create and impose custom policies or restrictions on each virtual domain you have added. You can modify the dynamic and static parameters of each VDOM by following the instructions below. Dynamic parameters determine how much of a dynamic resource, such as connections per second, a VDOM can use. Static parameters determine how much of a static resource, such as real servers, a VDOM can use.
To edit a virtual domain:
1. Enable vdom.
2. Execute the following commands. A value of 0 means the parameter has no limit.
config global
config system vdom
edit <VDOM_name>
L4CPS : 0
L7CPS : 0
L7RPS : 0
SSLCPS : 0
SSLTHROUGHPUT : 0
CONCURRENTSESSION : 0
virtualserver : 0
realserver : 0
healthcheck : 0
sourcepool : 0
errorpage : 0
localuser : 0
usergroup : 0
INBOUND : 0
OUTBOUND : 0
Dynamic parameters
|
L4CPS |
The number of layer 4 connections created per second. When the creation speed exceeds this value, only this number of connections will be created per second. The rest will be dropped. |
|
L7CPS |
The number of layer 7 TCP connections created by the httproxy frontend per second. When the creation speed exceeds this value, only this number of connections will be created per second. Additional TCP syn requests will be dropped on the client side. |
|
L7RPS |
The number of HTTP GET requests handled by the httproxy from the client side per second. When the number of requests per second exceeds this value, only this number of requests will be handled. Additional HTTP GET requests will be dropped. |
|
SSLCPS |
The number of SSL connections created by the httproxy frontend per second. When the creation speed of new SSL connections exceeds this value, only this number of connections will be created per second. Additional connections will not be allowed and additional syn packets will be dropped during that second. |
|
SSLTHROUGHPUT |
The volume of SSL encrypted TCP traffic from both the incoming and outgoing side. When the traffic throughput exceeds this value, additional packets from the client will be dropped and new connections will not be allowed. |
|
CONCURRENTSESSION |
The total number of living connections for ADC traffic. Living connections include L4, L7, and L7 SSL. When the number of living connections exceeds this number, additional connections will not be allowed. |
|
INBOUND |
The maximum volume of inbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted. |
|
OUTBOUND |
The maximum volume of outbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted. |
Static parameters
|
virtualserver |
The maximum number of virtual servers that can be configured using "config load-balance virtual-server" in the chosen VDOM. |
|
realserver |
The maximum number of real servers that can be configured using "config load-balance real-server" in the chosen VDOM. |
|
healthcheck |
The maximum number of healthcheck members that can be configured using "config system health-check" in the chosen VDOM. |
|
sourcepool |
The maximum number of IP pools that can be configured using "config load-balance ippool" in the chosen VDOM. |
|
errorpage |
The maximum number of error page files that can be configured using "config load-balance error-page" in the chosen VDOM. |
|
localuser |
The maximum number of local users that can be configured using "config user local" in the chosen VDOM. |
|
usergroup |
The maximum number of user groups that can be configured using "config user user-group" in the chosen VDOM. |
Assigning interfaces to a virtual domain
For virtual domains in Independent Network mode, you need to assign network interfaces to the virtual domain. If the Virtual Domain Mode is Share Network (ADOM mode), all network interface settings are defaulted to the root settings, so assigning network interfaces is unnecessary.
The following commands assign a network interface to a VDOM:
FortiADC-VM # config global
FortiADC-VM (global) # config system interface
FortiADC-VM (interface) # edit port10
FortiADC-VM (port10) # set vdom docs-vdom
FortiADC-VM (port10) # end
Changing interface(port10) vdom from root(1) to docs-vdom(233):
change vdom success.
Assigning administrators to a virtual domain
The following commands create an administrator account and assign the administrator to a VDOM or ADOM:
FortiADC-VM # config global
FortiADC-VM (global) # config system admin
FortiADC-VM (admin) # edit docs-vdom-admin
Add new entry 'docs-vdom-admin' for node 78
FortiADC-VM (docs-vdom-admin) # set access-profile admin_prof
FortiADC-VM (docs-vdom-admin) # set vdom docs-vdom
FortiADC-VM (docs-vdom-admin) # end
Disabling virtual domains
You may need to disable virtual domains in certain scenarios, such as switching to a different Virtual Domain Mode.
Before you begin:
- Save a backup of the configuration. Disabling virtual domains changes the structure of your configuration, and deletes most virtual domain related settings. It keeps settings from the
rootVDOM or ADOM only.
To disable virtual domains:
- Assign interfaces to the root VDOM. For example:
- Assign admin accounts to the root VDOM or delete them. For example:
- Delete non-root VDOMs:
- Disable VDOMs:
FortiADC-VM # config global
FortiADC-VM (global) # config system interface
FortiADC-VM (interface) # edit port10
FortiADC-VM (port10) # set vdom root
FortiADC-VM (port10) # end
Changing interface(port10) vdom from docs-vdom(233) to root(1):
change vdom success.
FortiADC-VM (global) # config system admin
FortiADC-VM (admin) # delete docs-vdom-admin
FortiADC-VM (admin) # end
FortiADC-VM # config vdom
FortiADC-VM (vdom) # delete docs-vdom
FortiADC-VM (vdom) # end
FortiADC-VM # config global
FortiADC-VM (global) # config system global
FortiADC-VM (global) # set vdom-admin disable
FortiADC-VM (global) # end
The system disables VDOMs and terminates your administrative session.
Viewing virtual domains
Use the following command to show the usage and settings for all VDOMs or ADOMs on the system:
get system vdom-status
The following example shows the system with two VDOMs set.
FortiADC-300D # get system vdom-status
root:
l4cps: 4.87/-
l7cps: 90.2/-
l7rps: 0.0/-
SSLcps: 3.7/-
SSLThroughput(KB/S): 1550.0/-
ConcurrentSession: 47.0/-
Inbound(KB/S): 255.6/-
Outbound(KB/S): 104669.0/-
VirtualServer: 21/-
RealServer: 33/33
Health Check: 5/-
Source Pool: 0/-
Error-Page: 1/-
LocalUser: 0/-
UserGroup: 2/-
vdom1:
l4cps: 0.0/-
l7cps: 0.0/-
l7rps: 0.0/-
SSLcps: 0.0/-
SSLThroughput(KB/S): 0.0/-
ConcurrentSession: 0.0/-
Inbound(KB/S): 0.0/-
Outbound(KB/S): 0.0/-
VirtualServer: 0/-
RealServer: 0/-
Health Check: 4/-
Source Pool: 0/-
Error-Page: 0/-
LocalUser: 0/-
UserGroup: 0/-
The first number represents the current usage. The second number represents the limit set. A dashed line means no limit has been set.