Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mumbles202
New Contributor II

First time VDOM user with a few questions

So I'm working on Migrating from a different firewall platform that has essentially 2 isolated departments that share redundant internet. I had a couple of questions that hopefully a more experienced user with VDOMs can assist with

 

1.) Is it best practice to not use the root VDOM for any traffic that should be only for either of the 2 depts? I had done some initial configuration and have setup what would be department 1 already in the root VDOM before I enabled multi vDOM mode. 

 

2. Is the best way to get internet for both departments (if I move department 1 into another vDOM other than root) to use npu links? 

 

3. If I use npu links can I still setup traditional link monitors and use those to determine internet egress? 

 

I have a requirement that I use 2 different ssl landing pages (each backed by a different fqdn and certificate with no common domain) which is what drove the decision to use vDOM s. 

 

7 REPLIES 7
gfleming
Staff
Staff

You're definitely on the right track. You can use the root VDOM for whatever you want. But it probably makes sense to create separate VDOMs for each department named appropriately and keep the root VDOM for management purposes and/or internet access. 

 

Definitely use the inter-VDOM links for sending traffic to/from the tenant VDOM and the internet access VDOM.

 

Yes you can monitor the inter-VDOM links to determine bandwidth usage. Alternatively, if you have multiple public IPs you could have dedicated WAN links inside each VDOM. Lots of flexibility.

 

I would advise you to read through this doc: https://docs.fortinet.com/document/fortigate/7.2.1/administration-guide/597696/vdom-overview

Cheers,
Graham
mumbles202
New Contributor II

Thanks for this. I was able to move most of the configuration I needed to under the 2 VDOMs and created npu vlan interfaces for routing in the root VDOM. I set a default route in each of the VDOMs (I imagine I also need to create the reverse root in the root VDOM?) I will reread the document to see if I can figure out the port forwards to servers that live in a vDOM. 

 

For the policies from a vDOM to the root I was unclear on which to/from zones to pick but I will see if the document clears that up. I wasn't able to ping from the npu link in VDOM 1 to the npu link in the same vlan and subnet in the root VDOM, but not sure if that's just because none of the interfaces in that VDOM are up. 

jintrah_FTNT

Hi,

 

Reverse routes are needed so that root vdom can route the traffic back to source. For pinging between the intervdom interfaces, check that ping is enabled on the interfaces and that trusted hosts if configured contain the npu link subnet.

 

Best regards,

Jin

Vichu_94
Staff
Staff

Hi Mumbles202

For traffic to traverse from one vdom to another, we would need to configure a Vdom link between the vdom. Please follow the below link to configure that

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-route-traffic-from-one-VDOM-to-anot...

Regards

Vishal P
mumbles202
New Contributor II

Thanks for this. Should I use inter VDOM links for traffic to/from root or the npu links with vlan interfaces? Is there documentation with respect to differences and which to use in which situation? 

gfleming
mumbles202
New Contributor II

I'll keep working on this to see if I can figure out how to get it going. 

Top Kudoed Authors