I've been playing around with Split-Task VDOMs, and there are a few peculiarities I was hoping Fortinet could shine some light on.
In Split-Task VDOM mode, there are three config modes, Global (for all VDOMS) and one for traffic (FG-traffic) and one for management (root). The only config mode that provides the ability to configure admin users is Global, however that page in the GUI lacks the ability to assign users to one or more VDOMS, so admin users seem to only be able to configured as global admins. This seems contrary to one of the intended purposes of using multiple VDOMs. Is this because I configured Split-task VDOM and not Multi-VDOM mode? With Multi-VDOM mode do you define users in each VDOM or in the Global config mode and then assign them to one or more VDOMs.
The part that is more of a problem is I no longer have access to configure remote authentication like Radius from the GUI. If I go to the CLI, and the root VDOM I can see my radius servers which I configured prior to configuring split-task VDOM mode, but why is there no config section for Radius visible in the GUI for either the global context or the root VDOM for administrative users? It seems like there should be a Radius section in the Global config context since that is where you define admin users.
I'm running 6.4.9 FortiOS, but I saw the same behavior with FortiOS 6.2.8 as well. I have not tried this with 7.0 or 7.2.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Just a side note, not an answer to your questions, the Split Task mode was discontinued in the FortiOS 7.2, and will no longer be available.
BTW, yes, in multi-VDOM mode you create admin users in the Global context, then assign
them to the specific VDOM.
On a similar note, does anyone know how to recover from this? I'm trying to switch back to a single VDOM and it's REALLY NOT EASY!!!. They should warn you in the manual, "This will jack up your config, you WILL spend hours trying to recover from it, and (sshh.. we aren't telling you how to recover from enabling Split-task VDOM).
I haven't done it myself, as never used Split thing at all, but if I understand the docs correct - you do not recover from it (see below), you just move on: setting management VDOM as administrative, and the traffic as traffic. https://docs.fortinet.com/document/fortigate/6.4.0/cli-reference/1620/system-global search for the vdom-mode.
"When split-task VDOM mode is enabled, all current management configuration is assigned to the root VDOM, and all non-management settings, such as firewall policies and security profiles, are deleted."
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.