Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

cngbandan
New Contributor

Add a multi VDOM FortiGate to my security

Hello All,

I want to know if is it possible to add a Fortigate with multi VDOM into my Security Fabric?
I thought it was possible to do it with FortiOS 6.4 but I still can't do itt
[FirstName][JobTitle]
[FirstName][JobTitle]
1 Solution
RobertEvans
New Contributor III

Ah yes, I saw Multi in OPs subject, didn't see your question immediately.

Split-vdom is a specialized mode to just separate mgmt traffic into VDOM for OOB access, and a forward traffic vdom for traffic mgmt.
I would probably use multi-vdom in any case, but this is meant to be a simple 2 vdom configuration to separate mgmt of the Firewall from traffic forwarding mgmt. 

Its essentially an RBAC role applied depending on which vdom you are in. The second link below shows you what you can configure while in the root vdom (mgmt) vs the traffic vdom. 

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/963030/split-task-vdom-mode
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/758820/split-task-vdom-mode

Use case is limited, because you could do the same with RBAC in multi-vdom mode w/o the vdom limitation of just 2 vdoms.

View solution in original post

8 REPLIES 8
faridulalam_FTNT

Use split-VDOM in v6.4:

config system global
(global) # set vdom-mode
no-vdom Disable split/multiple VDOMs mode.
split-vdom Enable split VDOMs mode.
multi-vdom Enable multiple VDOMs mode.

------------------------------
Faridul
------------------------------
[FirstName] [JobTitle]
HubeWisn

Can someone explain what is the use case for the split VDOM? If I have a limit of one VDOM for traffic it isn't easier just to run standalone mode?
RobertEvans
New Contributor III

Multi-VDOM is primarily for service providers, mssps, or certain enterprises that want true separation of traffic. It is a rough equivalent of VRF (virtual routing and forwarding) in Forti world. It provides a virtual route table per vdom, per vdom firewall policies / objects / etc. 

You connect vdom virtual interfaces to the rest of your network by way of vlan tagging across a trunk, as well as create IPSEC aggregation interfaces bound to a specific VDOM. E.g. a single firewall can be the vpn aggregation for 10 customers, each having their own unique IPSEC target, and each one having their traffic flow only into a given vdom, providing traffic segmentation at L2 and L3 within the firewall. 

Its a feature most good firewalls / routers / switches provide, the underlying technology is essentially VRF / VRF lite, a technology often coupled with MPLS to provide L3VPN separation of traffic for service providers. 
HubeWisn

Multi VDOM is clear, I asked for split VDOM. For me it make sense only when you own the hardware and you rent/sell VDOM as a service. Of course both parties accept there is no way to add another VDOM in the setup...but I'm still not convinced
RobertEvans
New Contributor III

Ah yes, I saw Multi in OPs subject, didn't see your question immediately.

Split-vdom is a specialized mode to just separate mgmt traffic into VDOM for OOB access, and a forward traffic vdom for traffic mgmt.
I would probably use multi-vdom in any case, but this is meant to be a simple 2 vdom configuration to separate mgmt of the Firewall from traffic forwarding mgmt. 

Its essentially an RBAC role applied depending on which vdom you are in. The second link below shows you what you can configure while in the root vdom (mgmt) vs the traffic vdom. 

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/963030/split-task-vdom-mode
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/758820/split-task-vdom-mode

Use case is limited, because you could do the same with RBAC in multi-vdom mode w/o the vdom limitation of just 2 vdoms.
HubeWisn

Thanks for your answer. That's what I was looking for - the confirmation the use case is quite low comparing to multiVDOM
MichWill1

I'll second this request.  I understand VDOMs and of course multiple VDOMs but I've not heard of split VDOMs, so would love to understand their function and a use case where it would be used.
cngbandan

Hello All and thank you for your contribution.
By reading the comments and related articles I realize that the Security Fabric still does not support devices on which multi-vdom is implemented (more than 2 vdom).
I continue to wait until a release allows it.
[FirstName][JobTitle]
[FirstName][JobTitle]