Skip to main content
cdelarosa
cdelarosa
New Member
July 16, 2021
Question

VDOM Mode Split vdom

  • July 16, 2021
  • 1 reply
  • 2781 views

Hello, 

Im studying for the NS4 and i was wondering in what cases scenario is the Split VDOM Use

I could read that  it has to vdoms

the Root and one more

The root is for managment only work so i just actually get one vdom to work with.  Why i would like to use this mode if it just give me one vdom? 

I dont have too much experience with fortigates so i cant think in one, but i would like to know.

 

Cheers

Carlos

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 16, 2021

    Actually me neither. It's just to separate management vdom from user(root) vdom so that the user (vdom) wouldn't see any management traffic like FortiGuard access and others. But to me that's relevant if the entire chassis is owned/managed by somebody else other than the vdom users. If it's only for yourself, probably it doesn't matter much since all circuit(s) are for yourself including management use.

    We do have shared chassis setups with multiple customer VDOMs, and we set a dedicated management vdom to carry the management or common service traffic. But that's different from the "split vdom" feature is intending.

    lobstercreed
    lobstercreed
    New Member
    July 19, 2021

    I tend to agree with Toshi that it's not an attractive feature, but I think there are two advantages perhaps (having not used it, just going off my understanding of it).

     

    [ol]
  • It reduces the attack surface of the firewall by essentially creating "out of band" management -- especially useful for firewalls that don't have a dedicated management port.  Perhaps I'm wrong, and perhaps a similar thing can be achieved with proper hardening under 1 VDOM (I feel fine with my own settings).
  • It should simplify the configuration steps needed to ensure proper routing of management traffic.  Self-originated traffic does not use SD-WAN rules by default and even with ALL of knobs turned on per this document, some traffic still ignores SD-WAN depending on the features you're using (had a ticket open very recently about this).[/ol]
    • Terms & ConditionsAccessibility statement