Explorer III

Solved

VDOM setup or FortiManager setup

Forum|Forum|1 year ago
October 31, 2024
4 replies
5544 views

I have a single, 8 hour, professional services support day banked. I've got a couple of options on how to use it. I've got a FortiManager license but I've never set it up and never used it. I would also like to configure my FortiGate that's in my DR site with a VDOM so that I could have a "bubble test" that's segregated from everything else, but uses Corp IPs. I've also never set up VDOMs or worked with VDOMs. I'm less than sure I can accomplish both of these tasks in 1 8 hour support day.
Which one would you consider more complicated and I should use the support day for?

FortiGate

Best answer by DPadula

Hi IrbkOrrum,

So you will have 3 vdoms, Primary, Blubble and root. You cannot get rid of root, this is by default.

vdom list.PNG

Then you need to create each vlan interface like the settings below.

VLAN 1001

and VLAN 2001

Create the other vlans interfaces as your diagram, I have just created two of them, one on each vdom, to show you how it is done.

After that, the Network-Interface menu will look like this one:

The physical interface belong to root (default) but the vlans interfaces belong to Primary or Bubble, according to your configuration.

I hope it helps.

DPadula

Staff & Editor

Hi IrbkOrrum,

Setup a vdom is not that complicated. Once you understand the concept you will realise how easy it is.

First thing to do is enable multi-vdom on your Fortigate, this can be done using the article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-multiple-VDOMs/ta-p/193601
This other article shows how to create vdoms, it has some examples that are helpful https://community.fortinet.com/t5/FortiGate/Technical-Tip-Step-by-Step-Inter-VDOM-configuration-examples/ta-p/315636

FortiManager setup can be a little bit more trick on my point of view, but also can be done using Fortinet documentation https://docs.fortinet.com/document/fortimanager/7.6.1/administration-guide/512210/setting-up-fortimanager

I suggest to have a look on three links before you decide how you want to use your PS hours.

Regards

DPadula

IrbkOrrumAuthor

Explorer III

Let me further expound upon what I want to do with a VDOM because I can't figure out how I'm going to accomplish it myself with what I've read.

The FortiGate that's going to be in our DR site will have 2 connections to it.

Port 5 goes to the internet
Port 1 goes to the VMWare stack
These are all the physical connections I can have (hosted data center, each connection costs me $).
I would want to set up (I guess) 2 VDOMs. There is the "Primary DR" which will have subnets like 10.8.10.0/24 - 10.8.20.0/24, each as a vlan interface under Port 1.
Then there is the "Bubble Test" VDOM. This will also run the same subnets 10.8.10.0/24 - 10.8.20.0/24, they also need to be vlan interfaces under Port 1 (because I only have the 1 port) however they will be different vlan IDs.
"Primary DR" and "Bubble Test" VDOMs should have no communication. "Bubble Test" will have clients using an SSLVPN to connect to it and once connected have no access to anything else except what's in the "Bubble Test" VDOM, not even internet access.
It's the sharing of ports that I am lost in right now. Everything keeps saying "assign a physical interface to the vdom" but I'm not understanding how "Primary DR" and "Bubble test" vdoms would share the same interface.

DPadulaAnswer

Staff & Editor

Hi IrbkOrrum,

So you will have 3 vdoms, Primary, Blubble and root. You cannot get rid of root, this is by default.

vdom list.PNG

Then you need to create each vlan interface like the settings below.

VLAN 1001

and VLAN 2001

Create the other vlans interfaces as your diagram, I have just created two of them, one on each vdom, to show you how it is done.

After that, the Network-Interface menu will look like this one:

The physical interface belong to root (default) but the vlans interfaces belong to Primary or Bubble, according to your configuration.

I hope it helps.

IrbkOrrumAuthor

Explorer III

Ahhh, ok. That's actually a lot more simple than I thought it was. So I've already got a config and when I turn on the VDOMs all my rules fall under "Root". I think I'll take a backup and then modify the backup to move those interfaces from "Root" to the "Primary_DR".

DPadula

Staff & Editor

@IrbkOrrum

If you have a bunch of vlans under the same physical interface you will need a device connected to such interface capable of handling all the vlan traffics (vlan tags). I used port5 to show you how to do it but I believe you will do under port1, right?

You can use inter-vdom links to connect each vdom to each other in case each vdom need to communicate with other vdom.

I hope I clarified instead of make it more confusing. :)

IrbkOrrumAuthor

Explorer III

Ok, so the individual vlan interfaces are set up under global, with the vlan interface being called out as belonging to an individual VDOM there. That makes sense for the inside interfaces. However, how do you share like 1 single outside interface? Would Root have the outside interface in it's vdom with the routing assigned at the Root VDOM. Then like Primary_DR and Bubble_Test would each have an inter VDOM link to root? How does Root know to route traffic to Primary_DR or Bubble_Test? Like Primary_DR will have IPSec VPN connections, but Bubble_Test will just have SSL VPN.
It seems like VDOMs are easy if you are assigning a physical interface to each vdom and there are several videos that I've found on youtube explaining that. However, when all the VDOMs share physical 1 ingress and physical 1 egress things get a lot muddier and I can't find any good documentation or videos on it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded