So I'm working on Migrating from a different firewall platform that has essentially 2 isolated departments that share redundant internet. I had a couple of questions that hopefully a more experienced user with VDOMs can assist with
1.) Is it best practice to not use the root VDOM for any traffic that should be only for either of the 2 depts? I had done some initial configuration and have setup what would be department 1 already in the root VDOM before I enabled multi vDOM mode.
2. Is the best way to get internet for both departments (if I move department 1 into another vDOM other than root) to use npu links?
3. If I use npu links can I still setup traditional link monitors and use those to determine internet egress?
I have a requirement that I use 2 different ssl landing pages (each backed by a different fqdn and certificate with no common domain) which is what drove the decision to use vDOM s.
You're definitely on the right track. You can use the root VDOM for whatever you want. But it probably makes sense to create separate VDOMs for each department named appropriately and keep the root VDOM for management purposes and/or internet access.
Definitely use the inter-VDOM links for sending traffic to/from the tenant VDOM and the internet access VDOM.
Yes you can monitor the inter-VDOM links to determine bandwidth usage. Alternatively, if you have multiple public IPs you could have dedicated WAN links inside each VDOM. Lots of flexibility.
Thanks for this. I was able to move most of the configuration I needed to under the 2 VDOMs and created npu vlan interfaces for routing in the root VDOM. I set a default route in each of the VDOMs (I imagine I also need to create the reverse root in the root VDOM?) I will reread the document to see if I can figure out the port forwards to servers that live in a vDOM.
For the policies from a vDOM to the root I was unclear on which to/from zones to pick but I will see if the document clears that up. I wasn't able to ping from the npu link in VDOM 1 to the npu link in the same vlan and subnet in the root VDOM, but not sure if that's just because none of the interfaces in that VDOM are up.
Reverse routes are needed so that root vdom can route the traffic back to source. For pinging between the intervdom interfaces, check that ping is enabled on the interfaces and that trusted hosts if configured contain the npu link subnet.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.