How to create Virtual Domains or VDOMs on Fortigate Firewall

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we will learn how to create virtual domains or V Dom's on 48 firewall virtual domains allow you to split your 4 gate into multiple isolated firewalls in commercial domains like a V RF and a router which splits your router into multiple virtual routers and each virtual routers or vrf have a totally different route table and access lists in the same fashion V doms will allow you to assign different interfaces in your firewall to different domains and create different route tables and firewall policies to use on each domain as if you bought multiple physical devices virtual domains will help us maximize and utilize our firewall resources to serve multiple needs on the same physical or virtual device most physical firewall models allow you to split the firewall up to 10 different instance with no additional charge although this feature has been absent from cloud firewalls for a long while they are now supported only for bring your own license models so we will not be able to use this feature on in-demand instance on AWS let's switch the view to our on-premises firewall and first we need to enable the virtual domain feature this can be done using the CLI and we need to enter the command config system global to edit this global device setting and we enter the command set V da mode and we switch our options to multi V Dom and then we hit enter to end and save or config this will kick us out of our management session as it will update the GUI and CLI of the device and once we log in again to the firewall we will get a new drop-down menu on the Left sidebar we have a choice between global and route let's start with global global refers to the global settings that are not V Dom specific so we will lose most of our options in the global view like firewall policies address object VPNs or route table as all these are V Dom specific under interfaces we will see a Vida association with every interface in our list currently all board are associated with our first root domain which is our default V Dom or the device as a whole before we slice it and inside our root domain we will get another interfaces page that shows only the interfaces associated with that particular domain we will also see our old firewall policy that used to be located in the main screen now has been moved under root a dom same applies to our VPN it moved in here as well now in order for us to create additional V Dom's besides root we will need to switch to the global view and go under system v Dom we will see our current v Dom's and stats for CPU usage and RAM usage for every instance we are still limited by the total resources of the firewall and how much traffic bandwidth it can handle so we can go ahead and create our new VM we can call our new video on internet tuber Bessette as an internet edge and now we see our second video in the list and it has completely isolated CPU and RAM usage session table is empty no interfaces are assigned to it initially no bosses are exist so we are working on a completely isolated empty device as of this moment underwriting monitor we no longer have our VPN route as before because we are dealing with another route table now to be able to use this freedom you need to dedicate some of our firewall interfaces to serve that domain only as all our interfaces right now are assigned to the route via Dom we can choose the DMZ board for example and all you need is to edit the interface configuration from the Nuvi Dom assignment menu we will change it from route to our new Vida Internet this setup will not work if we have any dependencies for that particular interface in this route via Dom for example if you have a firewall policy in the route Vietnam that has board dmz mentioned you will not be able to change your V Dom you need to delete the policy first order out or whatever dependency it has to be able to proceed we can also give the interface and new IP address 172 dot 16 dot 0 dot 1/22 we may also give this interface HTTP access permission then we can save our config now our global interface page showing us the various interface Association or the route and internet v-dubs but under the internet Vida and site our interfaces page we only get to see the DMZ board as this is the only interface associated with the internet video we can also create our first firewall policy we only see dmz and interfaces list for the internet via our firewall policy now let's also try to add a static route we will see the limitation in the device menu as we only see dmz and black hole so we can create any routes we need for this video only and if we switch back to our root V Dom we now have our original route table with the VB enroute if you are done using a specific domain and want to completely remove it you also have to clear any dependencies first before you will be able to delete it as of now we see that the lead button is not activated so we know that we have dependencies that we need to remove but it's open the reference list to verify what is associated with this vida that need to be removed and we see references to our DMZ interface and another interface named SSL which is a system interface and it will be deleted automatically so we don't have to worry about the SSL interface what we need to do first is to delete the firewall policy to clear of the dependency on the DMZ port and then we will be able to change the DMZ interface V Dom from Internet to root and now we will be able to delete our V Dom as it has no dependencies now let's check the impact on the CLI commands after we enable the virtual domains feature if we try the command config system global that we use to enable the virtual domains feature it no longer works same for config system interface where we can modify our interfaces and the reason is all these commands have been moved to our global view similar to the GUI so when V Dom feature is enabled you always have to remember to enter the command config global first then enter any global setting that you need to modify similarly if we want to make firewall policy changes or routing changes you have to enter the V dump configuration first specify which instance or which V Dom you want to edit and then under that specific video you choose you can edit the routes policy vbn or anything else that is V Dom specific now to switch between V Dom's ver CLI we can just use the command end or mixed to go one level up and then when it says V down between brackets that means we are able to edit create or delete Avedon to create a new vid on all we need to do is edit and write the new video in a m-- and this will create it if it doesn't exist from inside the V Dom we can change system interfaces assigned MZ board for example to our new vida and if we refresh our GUI we will see our new video and DMZ board Association this process we edit our dreams abort again reassign it to the root V Dom given that it has no dependency on the new V Dom now and then to the lead the V down from the CLI we can write next go back to our VM and simply write the command delete and then the V Dom name you have to be double extra careful with this step as if you specify the wrong vietnam name and delete it you cannot undo this deletion finally if you no longer need to visualize your device and would like to turn off the video feature which is a global setting we need to go first into global view using the command config global and then under config system global we can enter the command set video mode no V Dom this will kick us out of our management session again and if we're a login we will get the consolidated view bein with policies routes VPNs all in one page and one instance and that's how you configure virtual domains or V Dom's on 48 firewall thank you for watching

Info

Channel: ElastiCourse

Views: 7,043

Rating: undefined out of 5

Keywords: fortigate, fortinet, firewall, vdom, virtualization, virtual, domain, isolated, network, security

Id: 7MeQ6psY4F8

Channel Id: undefined

Length: 11min 8sec (668 seconds)

Published: Mon Apr 27 2020