Fortinet black logo

Handbook

Configurations

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:209298
Download PDF

Configurations

There are three main types of VDOM configurations:

The main difference between these configurations is whether inter-VDOM routing is used. For more information, see Inter-VDOM routing.

Independent VDOMs

Independent VDOMs is a common configuration. In this configuration, you create multiple VDOMs that are completely separate from each other, without any inter-VDOM routing. Any VDOM in this configuration can be the management VDOM, provided there is Internet access.

This configuration can be used when more than one department or company shares the FortiGate. Using independent VDOMs, each company or department appears to have its own FortiGate, which can be independently managed.

Management VDOM

In the management VDOM configuration, the management VDOM is located between the other VDOMs and the Internet. The other VDOMs connect to the management VDOM with inter-VDOM links, with no other inter-VDOM connections.

In this configuration, the management VDOM has full control over access to the Internet, including what types of traffic are allowed in both directions. There is no communication directly between the non-management VDOMs. Security is greatly increased with only one point of entry and exit. Only the management VDOM needs to be fully managed to ensure network security in this case. Each client network can manage its own configuration without compromising security or bringing down another client network.

This configuration can be used for MSSPs, allowing the service provide to administer the management VDOM with the other VDOMs as managed by their customers. The service provider controls the traffic and can prevent the customers from using banned services and prevent Internet connections from initiating those same banned services. Firewall policies control the traffic between the customer VDOM and the management VDOM and can be customized for each customer.

The management VDOM configuration is limited in that the customer VDOMs have no inter-connections. In many situations, this limitation is ideal because it maintains proper security. However, some situations may require customers to communicate with each other, which would be easier if the customer VDOMs were inter-connected.

Meshed VDOMs

The meshed VDOMs configuration, including partial and full mesh, has VDOMs inter-connected using VDOM links. In a partial mesh, only some VDOMs are inter-connected while in a full mesh configuration, all VDOMs are inter-connected.

This configuration can be used when you want to provide full access between VDOMs, but need to handle traffic differently for each VDOM. When you use a meshed VDOM configuration, it is important to ensure proper security. You can achieve this using firewall policies and ensuring secure account access for all administrators and users.

Configurations

There are three main types of VDOM configurations:

The main difference between these configurations is whether inter-VDOM routing is used. For more information, see Inter-VDOM routing.

Independent VDOMs

Independent VDOMs is a common configuration. In this configuration, you create multiple VDOMs that are completely separate from each other, without any inter-VDOM routing. Any VDOM in this configuration can be the management VDOM, provided there is Internet access.

This configuration can be used when more than one department or company shares the FortiGate. Using independent VDOMs, each company or department appears to have its own FortiGate, which can be independently managed.

Management VDOM

In the management VDOM configuration, the management VDOM is located between the other VDOMs and the Internet. The other VDOMs connect to the management VDOM with inter-VDOM links, with no other inter-VDOM connections.

In this configuration, the management VDOM has full control over access to the Internet, including what types of traffic are allowed in both directions. There is no communication directly between the non-management VDOMs. Security is greatly increased with only one point of entry and exit. Only the management VDOM needs to be fully managed to ensure network security in this case. Each client network can manage its own configuration without compromising security or bringing down another client network.

This configuration can be used for MSSPs, allowing the service provide to administer the management VDOM with the other VDOMs as managed by their customers. The service provider controls the traffic and can prevent the customers from using banned services and prevent Internet connections from initiating those same banned services. Firewall policies control the traffic between the customer VDOM and the management VDOM and can be customized for each customer.

The management VDOM configuration is limited in that the customer VDOMs have no inter-connections. In many situations, this limitation is ideal because it maintains proper security. However, some situations may require customers to communicate with each other, which would be easier if the customer VDOMs were inter-connected.

Meshed VDOMs

The meshed VDOMs configuration, including partial and full mesh, has VDOMs inter-connected using VDOM links. In a partial mesh, only some VDOMs are inter-connected while in a full mesh configuration, all VDOMs are inter-connected.

This configuration can be used when you want to provide full access between VDOMs, but need to handle traffic differently for each VDOM. When you use a meshed VDOM configuration, it is important to ensure proper security. You can achieve this using firewall policies and ensuring secure account access for all administrators and users.