Configuring additional VDOMs
This section contains the following topics:
- Creating a VDOM
- Changing the management VDOM
- Assigning interfaces to a VDOM
- Per-VDOM administrators
- Certificate management
- Security profiles
- Disabling a VDOM
- Deleting a VDOM
Creating a VDOM
|
FortiGate performance might be reduced if you create a large number of VDOMs. |
To create new VDOMs, you must use a super_admin profile account and connect to the management VDOM (the root VDOM, by default).
By default, new VDOMs are set to NAT mode. If you want a VDOM to be in transparent mode, you must manually change the operation mode using the CLI.
To create a VDOM - GUI:
- Connect to the management VDOM.
- Go to Global > System > VDOM and select Create New.
- Enter a unique Name. VDOM names have the following restrictions:
- Only letters, numbers, “-”, and “_” are allowed
- No more than 11 characters are allowed
- No spaces are allowed
- VDOMs can't have the same names as interfaces, zones, switch interfaces, or other VDOMs
- Enter a short and descriptive comment to identify this VDOM.
- Select OK.
To create a VDOM - CLI:
config system vdom
edit <new_vdom_name>
end
|
If you attempt to edit an existing VDOM in the CLI and mistype the name, a new VDOM is created with this name. The new VDOM can either be renamed or deleted. For more information, see Deleting a VDOM. |
Changing the management VDOM
|
You can't change the management VDOM if any administrators are using RADIUS authentication. |
Once you have two or more VDOMs, you can change the management VDOM. The management VDOM must have Internet access.
You use the management VDOM to access global settings on the FortiGate, as well as for the following services:
- DNS lookups
- Logging to a FortiAnalyzer or syslog
- FortiGuard service
- Sending alert emails
- Network time protocol traffic (NTP)
- Sending SNMP traps
- Quarantining suspicious files and email
To change the management VDOM - GUI:
- Select Global > System > VDOM.
- Select the new management VDOM.
- Select Switch Management.
- Select OK to confirm the change.
To change the management VDOM - CLI:
config global
config system global
set management-vdom <vdom_name>
end
Assigning interfaces to a VDOM
You can assign an interface to only a single VDOM. By default, all interfaces are assigned to the root VDOM.
If the existing configuration references an interface, you won't be able to change the VDOM assignment for that interface. Because some FortiGate models have a default configuration, you might need to delete existing policies and routes to assign a particular interface to a new VDOM.
To assign an interface to a VDOM - GUI:
- Connect to the management VDOM.
- Go to Global > Network > Interfaces and edit the interface.
- Set Virtual Domain to the appropriate VDOM.
- Select OK.
To assign an interface to a VDOM - CLI:
config global
config system interface
edit <interface_name>
set vdom <VDOM_name>
next
end
If you want to use the same physical interface for multiple VDOMs, you can use an enhanced MAC VLAN.
Per-VDOM administrators
After you enable VDOMs, you can create administrators with access to several VDOMs or limited to a single VDOM, called per-VDOM administrators.
Per-VDOM administrators must have either the prof_admin profile or a custom profile. Administrators who have the super_admin profile have access to all VDOMs on the FortiGate.
Per-VDOM administrators must access the FortiGate through network interfaces that belong to those VDOMs, which must be configured to allow management access. The administrator can also connect using the console interface.
When per-VDOM administrators log into their virtual domain, they see a different dashboard than the global administrator sees. The VDOM dashboard displays information only relevant to that VDOM, while information about global settings or other VDOMs aren't shown.
Information |
Per-VDOM |
Global |
---|---|---|
System information |
read-only |
yes |
License information |
no |
yes |
CLI console |
yes |
yes |
Unit operation |
read-only |
yes |
Alert message console |
no |
yes |
Top sessions |
limited to VDOM sessions |
yes |
Traffic |
limited to VDOM interfaces |
yes |
Statistics |
yes |
yes |
You can create administrators globally or per-VDOM. To assign an administrator to multiple VDOMs, you must create the account at the global level.
When creating an administrator at the per-VDOM level, the super_admin profile can't be used.
To create per-VDOM administrators - GUI:
- Connect to the management VDOM.
- Go to Global > System > Administrators and select Create New.
- Set the User Name for the account.
- Set and confirm the Password.
- Set Type to Local User.
- Remove the root VDOM from the Virtual Domains list, then add the appropriate VDOM.
- Select OK.
To create per-VDOM administrators - CLI:
config global
config system admin
edit <name>
set vdom <VDOM_name>
set password <password>
set accprofile <admin_profile>
next
end
Certificate management
The following factory default certificates are unique to each VDOM and are automatically generated when a new VDOM is added:
- Fortinet_CA_SSL
- Fortinet_SSL
- PositiveSSL_CA
- Fortinet_Wifi
- Fortinet_Factory
You can upload certificates to either the global certificate store or the certificate store for a specific VDOM. Global certificates are available to all VDOMs on the FortiGate, while VDOM certificates are available only for a single VDOM.
Security profiles
A single VDOM can use all the security features that are available to a FortiGate that does not use VDOMs.
When applying security profiles, you can use global security profiles, which are available for use by multiple VDOMs, as well as VDOM-level security profiles. Both types of profiles can be used together on the same VDOM.
VDOM-level security profiles
If you create a security profile on a specific VDOM, that profile is only available on that VDOM. When using a global administrator account, you can create, edit, and delete VDOM-level security profiles by using the drop-down menu to access the VDOM, then going to the Security Profiles menu.
Global security profiles
You can configure global security profiles for use by multiple VDOMs, to avoid creating identical profiles for each VDOM individually. Global profiles are available for the following security features:
- Antivirus
- Application control
- Data leak prevention
- Intrusion protection
- Web filtering
Some security profile features, such as URL filters, are not available for use in a global profile.
The name for any global profile must start with "g-" for identification. Global profiles are available as read-only for VDOM-level administrators and can only be edited or deleted from within the global settings. Each security feature has at least one default global profile.
Global profiles are configured by going to Global > Security Profiles in the GUI or under the following config global
commands in the CLI:
antivirus profile
application list
dlp sensor
ips sensor
webfilter profile
Disabling a VDOM
When you create a new VDOM, it's enabled by default. You can configure a VDOM only while it is enabled. You must enable the management VDOM.
Disabled VDOMs are considered offline. The configuration remains, but you can't use the VDOM and only the super_admin administrator can view it. You can assign interfaces to a disabled VDOM.
To disable a VDOM - GUI:
- Go to Global > System > VDOM.
- Open the VDOM for editing.
- Ensure Enable is not selected.
- Select OK.
To disable a VDOM - CLI:
config vdom
edit <name>
config system settings
set status disable
end
end
Deleting a VDOM
Deleting a VDOM removes it from the FortiGate configuration. You can't delete the root VDOM or the management VDOM, and you can't delete a disabled VDOM.
You can delete only VDOMs that aren't referenced by the current configuration, including any per-VDOM objects. Before you delete a VDOM, check for, and remove the following objects that refer to that VDOM or its components:
- Routing - both static and dynamic routes
- Firewall addresses, policies, groups, or other settings
- Security profiles
- VPN configuration
- Users or user groups
- Logging
- DHCP servers
- Network interfaces, zones, and custom DNS servers
- VDOM administrators
Before you delete a VDOM, it's recommended that you re-assign interfaces assigned to that VDOM to the root VDOM.
To delete a VDOM - GUI:
- Go to Global > System > VDOM.
- Select the check box for the VDOM and then select the Delete icon.
- Confirm the deletion.
To delete a VDOM - CLI:
config vdom
delete <name>
end