Using VDOMs to host two FortiOS instances on a single FortiGate unit V.5.0.5

Virtual Domains (VDOMs) can be used to divide a single FortiGate unit into two or more virtual instances of FortiOS that function as independent FortiGate units. This example simulates an ISP that provides Company A and Company B with distinct
Internet services. Each company has its own VDOM, IP address, and internal
network.

cb_install-vdom.026.1.1Switching to VDOM mode and creating two VDOMS

Go to System > Dashboard > Status.   In the System Information widget, find  Virtual Domain and select Enable.

You will be required to re-login after enabling Virtual Domain due to the GUI
menu options changing.

Go to Global > VDOM > VDOM. Create two VDOMS: VDOM-A and VDOM-B. Leave both VDOMs as Enabled, with Operation Mode set to NAT.

123Assigning interfaces to each VDOM.

Go to Global > Network > Interfaces. Edit port1 and add it to VDOM-A. Set Addressing Mode to Manual and assign an IP/Network Mask to the interface (in the example, 172.20.120.10/255.255.255.0).

Edit port2 and add it to VDOM-A. Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.10.1/255.255.255.0), and set Administrative Access to HTTPS, PING, and SSH. Enable DHCP Server.

Edit port3 and add it to VDOM-B. Set Addressing Mode to Manual and assign an IP/Network Mask to the interface (in the example, 172.20.120.20/255.255.255.0).

Edit port4 and add it to VDOM-B. Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.20.1/255.255.255.0), and set Administrative Access to HTTPS,PING, and SSH. Enable DHCP Server.

Creating administrators for each VDOM

Go to Global > Admin > Administrators. Create an administrator for VDOM-A, called a-admin. Set Type to Regular, set a password, and set Admin Profile to prof_admin.
Create an administrator for VDOM-B, called b-admin. Set Type to Regular, set a password, and set Admin Profile to prof_admin.

Make sure to remove the root VDOM from both administrator accounts.

12345Creating a basic configuration for VDOM-A

Go to Virtual Domains and select VDOM-A. Go to Router > Static > Static Routes. Add a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0,set Device to port1, and set Gateway to the IP of the gateway router (in the example,172.20.120.2).

Connect a PC to port2. Using HTTPS protocol, browse to the IP set for port2 and log into VDOM-A using the a-admin account (in the example, https://192.168.10.1).

Go to Policy > Policy > Policy.

Create a policy to allow Internet access. Set Incoming Interface to port2 and Outgoing Interface to port1. Select Enable NAT.

1

2Creating a basic configuration for VDOM-B.

If you have logged out of the FortiGate unit, log back in.
Go to Virtual Domains and select VDOM-B. Go to Router > Static > Static Routes.
Add a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0,set Device to port3, and set Gateway to the IP of the gateway router (in the example,172.20.120.2).
Connect a PC to port4. Using HTTPS protocol, browse to the IP set for port2 and log into VDOM-B using the b-admin account (in the example, https://192.168.20.1).
Go to Policy > Policy > Policy.
Create a policy to allow Internet access. Set Incoming Interface to port4 and Outgoing Interface to port3. Select Enable NAT.

1

2Connecting the gateway Router.

Connect port1 and port3 of the FortiGate unit to the gateway router to allow Internet traffic to flow.

🙂

%d bloggers like this: