So I'm working on Migrating from a different firewall platform that has essentially 2 isolated departments that share redundant internet. I had a couple of questions that hopefully a more experienced user with VDOMs can assist with
1.) Is it best practice to not use the root VDOM for any traffic that should be only for either of the 2 depts? I had done some initial configuration and have setup what would be department 1 already in the root VDOM before I enabled multi vDOM mode.
2. Is the best way to get internet for both departments (if I move department 1 into another vDOM other than root) to use npu links?
3. If I use npu links can I still setup traditional link monitors and use those to determine internet egress?
I have a requirement that I use 2 different ssl landing pages (each backed by a different fqdn and certificate with no common domain) which is what drove the decision to use vDOM s.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You're definitely on the right track. You can use the root VDOM for whatever you want. But it probably makes sense to create separate VDOMs for each department named appropriately and keep the root VDOM for management purposes and/or internet access.
Definitely use the inter-VDOM links for sending traffic to/from the tenant VDOM and the internet access VDOM.
Yes you can monitor the inter-VDOM links to determine bandwidth usage. Alternatively, if you have multiple public IPs you could have dedicated WAN links inside each VDOM. Lots of flexibility.
I would advise you to read through this doc: https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/597696/vdom-overview
Thanks for this. I was able to move most of the configuration I needed to under the 2 VDOMs and created npu vlan interfaces for routing in the root VDOM. I set a default route in each of the VDOMs (I imagine I also need to create the reverse root in the root VDOM?) I will reread the document to see if I can figure out the port forwards to servers that live in a vDOM.
For the policies from a vDOM to the root I was unclear on which to/from zones to pick but I will see if the document clears that up. I wasn't able to ping from the npu link in VDOM 1 to the npu link in the same vlan and subnet in the root VDOM, but not sure if that's just because none of the interfaces in that VDOM are up.
Hi,
Reverse routes are needed so that root vdom can route the traffic back to source. For pinging between the intervdom interfaces, check that ping is enabled on the interfaces and that trusted hosts if configured contain the npu link subnet.
Best regards,
Jin
Hi Mumbles202
For traffic to traverse from one vdom to another, we would need to configure a Vdom link between the vdom. Please follow the below link to configure that
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-route-traffic-from-one-VDOM-to-anot...
Regards
Thanks for this. Should I use inter VDOM links for traffic to/from root or the npu links with vlan interfaces? Is there documentation with respect to differences and which to use in which situation?
Yeah use the NPU links with VLANs for each of your tenant VDOMs. Info here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Difference-and-understanding-between-NPU-V...
More general config info here:
I'll keep working on this to see if I can figure out how to get it going.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.