Skip to main content
ciscomemo
ciscomemo
New Member
June 2, 2015
Question

VDOM access

  • June 2, 2015
  • 3 replies
  • 14650 views

I am using Fortigate latest firmware on my device. I have created 2 VDOM having different set of LAN and WAN interfaces. The problem is that when I access First VDOM through SSH , it takes me to the global management CLI from where we can access both the VDOMS and global settings. When I access Second VDOM through SSH, it takes me to the global management CLI again even though I am putting IP of specific VDOMs. Same is the case when I am trying to access from HTTPS. 

 

Is there a way I can completely isolate them and they act as 2 different device .

 

I come from a cisco background where we have context and each context is completely different from other. 

    3 replies

    FortiAdam
    FortiAdam
    New Member
    June 2, 2015

    When you create an Administrator account you can configure it to limit access to only certain VDOMs if necessary.  I believe that would be the best way to accomplish what you are after.  

    ciscomemo
    ciscomemoAuthor
    New Member
    June 3, 2015

    so VDOMs dont act like different boxes in fortigate implementation ? Yes I did tested and can make different user name per user which does the work but if VDOM1 has LAN ip of x.x.x.x then I am wondering how can someone use this to configure the other VDOM. 

    Spartacus1988
    Spartacus1988
    New Member
    March 11, 2016

    The Vdoms are Isolated by their nature, When you login to the firewall you will need to specify where you would like to go. if you would like to configure the Global vdom or another vdom, you will have to specify this.

     

    Accessing a specific Vdom 

    #Config vdom

    # Edit vdom (name)  alternatively you can hit the ? and should show you all the vdoms. 

     

    Be careful as you can easily create Vdom that do not exist as its case sensitive 

    emnoc
    emnoc
    New Member
    March 11, 2016

    vdom and ciscoasa context works the same.

     

    In context admin this is our global, just like you can craft user within a context, you can craft users within a vdom that has sys admin access within that "vdom"

     

    e.g

    config system admin     edit "vdomAadmin"         set trusthost1 192.187.0.0 255.255.0.0         set accprofile "prof_admin"         set vdom "vdomAadmin"         set password ENC AK1hIupJx8pam2hfj+XTd1RfFMAD7ZXiKa/57yK+zNV3GU=     next

     

    Also within that vdom you can "ONLY craft a user for that vdom" if your an admin of that one vdom, but global mode allows you to craft a user within root or ALL vdoms ( yes you can craft a single user for multiple vdoms ) if your a super_user.

     

    A super_admin can craft any user for that vdom and restrict him/her to just that vdom if a management allowaccess is enable for a interface in that vdom (  set allowaccess ssh http https telnet )

     

    Ken

    Terms & ConditionsAccessibility statement