Create VDOM to duplicate Live firewall for testing...
I have a request from a client where they are looking to setup a test environment (firewall) to be able to make changes on before having it applied to their live / production firewall. The catch is, they need to be able to have live data or atleast the same traffic running through their test firewall to be able to see what impact their changes will make / have. The thought of VDOMS came up, but this would mean having two instances of firewalls running....
Does anyone have any ideas as to how I could set this up? If it even would be possible?
What's the business case for this? Your adding more work than's required and the client seems to be leading this. You should review the policy, asset the risk, and have a policy change and backup plan.
To try to duplicate the traffic is just asking for more complexity. If they want to do it right, you would really define a production and non-Production ( sandbox ) sites and QA any changes on the non-Production site b4 implementation into the prod-network and still maintain the earlier suggestion ( firewal audit, snapshot, rollback, etc.....)
I would just go with using a spare/test unit if your client wants to set up something that mimics the live/production environment -- just section off a department/network and put them on the test unit; it's a bit easier and manageable to deal with the fgt device as a whole than mess around with VDOMS/configuration changes, etc.
That being said, if your client is adamant about using VDOMS, they might want to consider putting the fgt into transparent mode and maybe have two VDOMs more-or-less mirroring each other.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.