Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gwillikers
New Contributor

Created on ‎01-08-2025 10:33 AM

Assistance w/ VDOM implementation outline


Howdy Folks!
 
I am new to the Network Engineering side of things, as I was a Sales Engineer/Solution Architect for the last 15 years. That being said, I have a laymen's understanding of the FortiGates, but very little hands-on configuration experience.
 
I reviewed the VDOM overview (https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/), and think I have a general understanding of what needs to be done, but need to understand the "why", order of operation, and dependencies so I can put all the different piece of the puzzle together.
The above document doesnt go into VDOM and VLANs, so there is a big area of question.
 
I have been tasked to create an outline as to how to implement VDOMs in the following scenarios...
 
Scenario#1 - Single WAN connection being broken out into (2) separate VLANs that require a separate VDOM for Management/control. Thought is to use VDOM1/Root to for the WAN-side FW instance and VDOMs 2&3 for the LAN-side VLAN specific FW instances. Is what I described possible. Do I have to create policy routes to map the VDOM1 WAN connection(s) to the VLAN-specific VDOMs? If so, how.
Scenario#1Scenario#1
Scenario#2 - create a design with a primary and secondary WAN provider terminating into a single VDOM (VDOM1) and then feeding separate child VDOMs to allow each program to control/manage their specific child/VLAN VDOM instance. How do you create a WAN connection priority (WAN1 (primary) and WAN2 (Failover) on a single VDOM. What sort of routing policies do you have to create so that VDOM1/Root feeds the VLAN10 into VDOM2 and VLAN20 into VDOM3?
Scenario#2Scenario#2
Thanks all for the review and assistance!
Gwillikers
 
 

 

 
 
 
Labels:
130
0 Kudos
3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Created on ‎01-08-2025 10:57 AM Edited on ‎01-08-2025 11:28 AM

First, you need to understand how to connect multiple vdoms over vdom-link or npu-vlink (if chassis-based FGT). The same guide you referred to have some examples:
https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/335646/inter-vdom-routing-co...

Then you would understand the vdom-link/npu-vlink is a different interface from physical ones, so you can't put the same VLAN subinterface on both. Besides, to set up policies, the source interface and the destination interface are separated in general for secure operation, although it's possible to set policies between the same interface.
Also you can not share the same VLAN subinterface with multiple vdoms. One interface can belong to only one vdom. Consider a vdom as an independent router/FW box.

Either senario is possible to configure as long as you separate VLAN on both sides (split vlan-10 and vlan-20 per inside and outside, and between vdoms).

Toshi

119
0 Kudos
pbretas
Staff
Staff

Created on ‎01-08-2025 11:04 AM Edited on ‎01-08-2025 11:11 AM

Hello Gwillikers,

 

Sorry if I haven't understood your question so well. From the general point of view, the VDOM is usually used to split the FortiGate into many mini-FortiGates, this way you can have a multi tenant scenario. In other words, if you have a FortiGate with X physical interfaces, you can split it and assign a portion of physical interfaces to customer1, and another portion to customer2.

 

Hope I could clarify a bit the understanding about VDOM.

 

Pedro

pbretas
116
0 Kudos
Gwillikers
New Contributor

Created on ‎01-08-2025 11:31 AM

Thanks Toshi....huge help!

95
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.