LAB VDOM Configuration in Fortigate

LAB VDOM Configuration in Fortigate

Posted on Jan 13, 2020 (0)

LAB VDOM Configuration in Fortigate

Two companies DC-1 and DC-2 using the same FortiGate with different Internet service providers (ISPs). To provide both corporate and Internet connectivity, each company has its own VDOM (called VDOM DC-1 and VDOM DC-2 ) that are managed independently. The root VDOM will be used to manage the FortiGate's global settings.

Topology :

Task :

Configure the Fortigate as per topology given below.

Solution :

Step1: Switching to VDOM mode and creating two VDOMs

Go to the Dashboard and locate the System Information widget. Find Virtual Domain and select Enable. You will be required to re-login after enabling virtual domains

Certain FortiGate models will not show the above option in the System Information widget.Enter the following command in the CLI Console:

config system settings
config system global
set vdom-admin enable

Enter y when you are asked if you want to continue.Make sure that Global is selected from dropdown menu located in the top-left corner. This allows you to make changes to the global configuration.

Step2: Create the VDOMS for both customer.

Go to System > VDOM and create two VDOMs: VDOM DC-1 and VDOM DC-2. In this example, the Inspection Mode is set to Proxy for VDOM-DDC2. This will allow this VDOM to use both proxy and flow based security scanning. The Inspection Mode for VDOM DC-1 is set to Flow-based, so only flow-based security scanning is available.

Step3: Configuring the root VDOM for FortiGate management

Go to Network > Interfaces. By default, all interfaces are in the root VDOM. Edit the interface you wish to use to manage the FortiGate (in the example, mgmt) and Set Administrative Access to HTTPS,PING, and SSH.

Step4: Adding interfaces to VDOM DC-1  and DC-2

Two interfaces will be added to VDOM DC-1: one for Internet access and one for use by the local network. Go to Network > Interfaces and edit the interface that VDOM DC-1 will use for Internet access, Set Virtual Domain to VDOM DC-1 and Role to WAN. Do the same for LAN interface as shown in diagram.

Multiple interfaces will be added to VDOM DC-2, one for Internet access and Two additional interfaces for use by the internal network. These two interfaces will be combined into a hardware switch interface called LAN-DC2, which the FortiGate treats as a single interface. This example also adds a DHCP server to LAN-DC2 to provide IP addresses for the VDOM DC-2's internal network.

Refer below diagrams:

Step5: Configure Routing for VDOM DC-1 and VDOM DC-2.

Configure the Routing for both VDOM DC-1 and DC-2 as per ISP IP address in below figure. Access VDOM DC-1's configuration using the dropdown menu and go to Network > Static Routes to add a default route and also do same for VDOM DC-2

Go to Policy & Objects > IPv4 Policies and create a new policy to allow Internet access for VDOM DC-1

Go to Policy & Objects > IPv4 Policies and create a new policy to allow Internet access for VDOM DC-2


    You are will be the first.


Please login here to comment.