Hi all,
We've FortiGate firewalls running without VDOM.
Now we need to enable VDOM feature but after we enabled the VDOM feature , the current existing config will be migrated into root VDOM.
We don't want the existing config migrated into root VDOM.
We only want root VDOM for management purpose only without any other configuration.
We want to place the current existing configuration into different/separate VDOM.
What can we do to achieve our purpose?
Actually we have a bunch of FortiGate running without VDOM and now we need to enable VDOM feature for application team requirements.
Thank you and help me suggest on this. Either manual process or automatic process is fine as long as we can still maintain the current configuration into a separate VDOM other than root-VDOM.
FortiGate #VDOM
You can change the management VDOM after you have set everything up, if that's your only concern.
Another idea would be to download the config and change all the lines where it says set vdom root to whatever you want and then restore/import the config, just make sure that the VDOM is created.
I would just create a new VDOM for management.
So your existing config exists in root VDOM and then new management VDOM is created to manage the Firewall.
You can also look at creating an Admin VDOM. See VDOM Types here: https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/597696/vdom-overview#Managem...
Although I haven't used this myself, if you need only one traffic VDOM, this split-task VDOM might work for you.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/758820/split-task-vdom-mode
"root" vdom is only for management.
Toshi
root vdom does not have to be used for management. Once you enable multi-VDOM mode, root vdom is management VDOM but you can easily create a new VDOM and make that your management VDOM.
The OP's concern with multi-vdom was all interfaces already existing and anything using them like policies&objects would go into "root" vdom when the mode is set, which is true and which is not desirable for his/her case.
Is there a way around?
Toshi
It's not clear why OP doesn't want them to exist in 'root' VDOM apart from the fact that they want 'root' VDOM for management purposes only.
We are suggesting to keep things simple to just keep everything in 'root' VDOM but move the management piece into a new VDOM.
This would work much better than trying to move all interfaces and policies from 'root' into a new VDOM.
Sorry I misunderstood what you were getting at. Yes that's an excellent suggestion to use split-task VDOM but unfortunately it is deprecated in 7.2 in favour of 'Admin' VDOM.
Hi, thank you all for the suggestions . We are now doing tech refresh to our existing fortigate firewalls and we want to make a unique design for all Firewalls. Root-VDOM for management and other VDOM for data traffic.
Recent newly deployment FortiGate firewalls were already with Root-VDOM for management.
So we want the existing firewalls to be the same format as VDOM requirement was critical for the environment now.
You can use split-task VDOM as @Toshi_Esumi suggested—this will put your management into the root VDOM. However please note this is deprecated in current FortiOS release in favour of admin VDOM.
Best thing to do in your case, IMO is take your config, back it up, and edit it in a text editor replacing every instance of "root" in reference to vdom config with your preferred VDOM name then restore this config to the FortiGate (will require a reboot).
Then create a new VDOM named root and use that for management.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.