FGT2 12 Virtual Domains

DO NOT REPRINT  Virtual Domains
© FORTINET
In this lesson, we will show how to configure virtual domains (VDOMs) and common usage
examples.
© FORTINET
After completing this lesson, you should have these practical skills that you can use to create
VDOMS and VLANs, which are commonly used logical interfaces when working with virtual domains
in a FortiGate. You will also learn to limit the resources allocated to each VDOM and create per-
VDOM administrative accounts. The lesson also covers inter-VDOM connectivity.
Lab exercises can help you to test and reinforce your skills.
© FORTINET
VDOMs are a virtualization within FortiOS, providing virtual firewalls. Interfaces have VDOM
membership, the interface a packet arrives on determines which VDOM will process the traffic.
Interfaces can be physical or logical; IEEE 802.1Q VLANs are a logical interface commonly used with
VDOMS.
VLANs splits your physical LAN into multiple logical LANs. Each VLAN forms a separated broadcast
domain. In a same interface (or collision domain) multiple VLANs can coexist. In this way, a physical
interface is split into two or more logical interfaces. A tag is added to each Ethernet frame to identify
the VLAN that it belongs to.
© FORTINET
This slide shows a Ethernet frame. The frame contains the MAC addresses, the type, the data
payload, and a CRC code to confirm that is not corrupted.
In the case of Ethernet frames with VLAN tagging, according with the 802.11q standard, 4 more
bytes are inserted after the MAC addresses. They contain an ID number that identifies the VLAN.
An OSI Layer 2 device, such as a switch, can add or remove these tags from Ethernet frames. But it
cannot change them.
A Layer 3 device, such as router or a FortiGate, can change the VLAN tag before proceeding to route
the traffic. In this way, they can route traffic between VLANs.
© FORTINET
When operating in NAT/route mode, the FortiGate device operates as a Layer 3 router in its most
basic configuration. In this mode, a VLAN is an interface on the device. VLAN tags may be added
on egress, removed on ingress, or rewritten based on a routing decision.
When operating in Transparent mode, the FortiGate device operates as a Layer 2 bridge in its most
basic configuration. In this mode, a VLAN is an identifier for identifying traffic flows. The VLAN does
not exist on the FortiGate, in FortiOS the broadcast domain which is an accepted as a property of a
VLAN, is defined by the virtual domain, and the broadcast domain can only be modified using
forwarding domains as a sub-division. So to create a VLAN like behavior on FortiOS in transparent
mode, you would need ingress and egress VLAN interfaces using the same VID, and a forwarding
domain within the virtual domain containing those two interface, plus firewall policies to allow traffic.
© FORTINET
(slide contains animation)

In this example of NAT/route mode, a host on VLAN 100 sends a frame to a host on VLAN 300.
Switch A receives the frame on the untagged VLAN 100 interface and adds the VLAN 100 tag on the
tagged trunk link between switch A and the FortiGate, where the VLAN 100 gateway is configured.
(click)
FortiGate receives the frame on the VLAN 100 interface. Then, it routes the traffic from VLAN 100 to
VLAN 300, rewriting the VLAN ID to VLAN 300 in the process.
(click)
Switch B receives the frame on the VLAN trunk interface and removes the VLAN tag when it forwards
the frame to its destination on the untagged VLAN 300 interface.
© FORTINET
In this example, some computers located in separate buildings are part of the same department:
Accounting. They often share files, which results in much traffic.
But notice the other computers in each location. They are not part of Accounting. They are connected
to the same switch only because they are located in the same room, not because they are logically
related. So, they shouldn’t be bombarded with frames from Accounting computers.
To isolate each department, we could use different physically switches in each location to create a
distinct physical LANs. Instead, the network administrator here has decided to use only one switch in
each site and configure network devices to VLAN tag the frames. This causes traffic to be forwarded
only to devices in the same VLAN. To route information between different VLANs, the frame must
reach a Layer 3 router such as FortiGate, which can rewrite the VLAN tag.
© FORTINET
To create a VLAN from the GUI, click on Create New and select VLAN as the Type. You must specify
the VLAN ID and the physical interface where the VLAN will be bound to. Frames that belong to
interfaces of that type are always tagged. On the other hand, frames sent or received by the physical
interface segment are never tagged. They belong to what is called the “native” VLAN.
© FORTINET
So far, we’ve seen network segments subdivided and unified. It was one organization, with a single
set of policies and a few administrators – in effect, a single security domain.
What if you are an MSSP? What if you are a very large company? What if you want to subdivide
policies and administrators into multiple security domains?
In that case, you can enable FortiGate VDOMs, which split your physical FortiGate into multiple
logical devices. Each VDOM has independent security policies and routing tables. Also and by
default, traffic from one VDOM cannot go to a different VDOM.
© FORTINET
Remember, VDOMs are a logical separation only – each VDOM shares physical resources with the
others.
Unlike with FortiGate-VM, VDOMs are not allocated and balanced with weighted vCPU cores, vRAM,
and other virtualized hardware.
To fine-tune performance, you configure resource limits for each feature – IPSec tunnels, address
objects, etc. – at both the global level and at each VDOM level. This controls the ratio of each
VDOM’s system resource usage to the total available resources.
© FORTINET
For example, on this FortiGate, the hardware is powerful enough to handle up to 2000 IPSec VPN
tunnels. The FortiGate is configured with 3 VDOMs.
VDOM 1 and VDOM 2 don’t use IPSec VPN tunnels often, so, they are allowed to have up to 50
tunnels each.
VDOM 3, however, uses VPN extensively. Therefore this FortiGate will be configured to allow VDOM
3 to have up to 1900 tunnels. Additionally, 1000 of those tunnels will be guaranteed.
Configure your FortiGate with global limits for critical features such as sessions, policies, and others.
Then configure each VDOM with its own quotas and minimums, within the global limits.
© FORTINET
Global resource limits are an example of global settings. The firmware on your FortiGate and some
settings, such as system time, apply to the entire appliance – they are not specific to each VDOM.
© FORTINET
Most settings, however, can be configured to be different for each VDOM. Some example are:
firewall policies, firewall objects, static routes, security profiles, etc.
© FORTINET
To enable VDOMs from the GUI, in the System Information widget on the dashboard, in the Virtual
Domain row, click the Enable link.
Alternatively, to enable VDOMs when you are logged into the CLI, enter this command.
This won’t reboot your FortiGate, but it will log you out; enabling VDOMs restructures both the GUI
and CLI, which you will see when you log in again.
© FORTINET
(slide contains animations)
After enabling VDOMs, by default, only one VDOM exists: the “root” VDOM. It’s the default
management VDOM, which we will discuss further soon.
You need to add a VDOM for each of your security domains. If you’re an MSSP, for example, you
might add one VDOM per client company. If you are an enterprise business, you might add one
VDOM for each division of your company.
(click)
After adding the additional VDOMs, you can proceed to specify which interfaces belong to each
VDOM.
© FORTINET
If you log in as most administrator accounts, you will enter your VDOM automatically.
But if you are logged in as the account named “admin,” you aren’t assigned to any VDOM.
To enter a VDOM on the GUI, click the “Virtual Domains” part of the menu. Inside, you will see the
default VDOM, named “root.” Other VDOMs that you configure will also appear under the “Virtual
Domains” menu. To access a VDOM, click it and expand its contents.
Inside each VDOM, the submenu should be familiar: it is essentially the same navigation menu that
you had before you enabled VDOMs, except that the global settings moved out, to the “Global” part of
the menu.
© FORTINET
If you want to grant access to all VDOMs and global settings, select “super_admin” as the access
profile when configuring the administrator account. Similar to the account named “admin,” this
account will be able to configure all VDOMs.
Best practice dictates that you usually should avoid unnecessary security holes, however. Do not
provide “super_admin” access if possible. Instead, restrict each administrator to their relevant
domain. That way, they cannot accidentally or maliciously impact other VDOMs, and any damage or
mistakes will be limited in scope.
© FORTINET
In most cases, you’ll start by creating one administrator account per VDOM. He or she will be chiefly
responsible for that domain, including that VDOM’s configuration backups. In larger organizations,
you may need to make more VDOM administrators. Multiple administrators can be assigned to each
VDOM. You can subdivide their permissions using access profiles in order to follow best practices for
segregation of duties.
The converse is also possible. If required, you can assign an administrator to multiple VDOMs.
© FORTINET
To create new administrator accounts and assign them to a VDOM, go to the “Global” part of the
navigation menu.
© FORTINET
To review, each VDOM behaves as it is on a separate FortiGate appliance. With separate FortiGates,
you would normally connect a network cable and configure routing and policies between them. But
VDOMs are on the same FortiGate. So how should you route traffic between them?
The solution is inter-VDOM links. With inter-VDOM links, you won’t send traffic out through a physical
cable or VLAN, then back into the same FortiGate to reach another VDOM. Inter-VDOM links are a
type of virtual interface.
Note that like with inter-VLAN routing, Layer 3 must be involved – you cannot create an inter-VDOM
link between layer-2 transparent mode VDOMs! At least 1 of the VDOMs must be operating in NAT
mode. This, among other benefits, prevents potential layer-2 loops.
© FORTINET
When creating inter-VDOM links, you’ll need to create the virtual interface. You must also create a
matching firewall policy, just as you would if the traffic were arriving on a network cable. Otherwise,
FortiGate will block it.
Additionally, routes are required to properly route packets between two VDOMs.
© FORTINET
In the menu, creating a network interface is located in the “Global” settings. To create the virtual
interface, click the drop-down menu arrow, then choose “VDOM Link”.
© FORTINET
In the global section of the GUI, there is a VDOM monitor. It displays the CPU and memory usage
per VDOM. It also shows the amount of sessions and sessions created per second.
© FORTINET
Up until now, we’ve discussed traffic passing through FortiGate, from one VLAN or VDOM to another.
What about traffic originating from your FortiGate itself, or destined to it?
Administrator sessions and system daemons, such as NTP and FortiGuard updates, generate this
kind of traffic. When VDOMs are enabled, this means that a special VDOM, known as management
VDOM, must be automatically created so that FortiGate has network interfaces that can continue to
send and receive system-related packets. By default, the VDOM root acts as the management
VDOM, but you can manually re-assign this task to a different VDOM.
Similar to a FortiGate without VDOMs, the administrative VDOM usually should have outgoing
Internet access. Otherwise features such as scheduled FortiGuard updates will fail.
© FORTINET
There are a few ways you can arrange your VDOMs. In this topology, each network accesses the
Internet through its own VDOM.
© FORTINET
Notice that there were no inter-VDOM links in the previous example. So, inter-VDOM traffic is not
possible unless it physically leaves the FortiGate, towards the Internet, and is rerouted back. This is
most suitable for multiple customers sharing a single FortiGate, each in their own VDOM, with
physically separate ISPs or large pipes, for example.
© FORTINET
This is another example.
Like the previous topology, each network sends traffic through its VDOM. But after that, traffic is
routed through the management VDOM – by default, named “root”. So, Internet-bound traffic flows
through a single pipe in the “root” VDOM.
This could be suitable for multiple customers sharing a single FortiGate, each in their own VDOM.
But in this case, the management VDOM could log and monitor traffic and/or provide standard
services like antivirus scanning.
© FORTINET
Note that this topology has inter-VDOM links, but peer VDOMs are only linked with the management
VDOM, not with each other.
Inspection could be done by either the “root” or original VDOM, depending on your requirements.
Alternatively, you could split inspection so that some scans occur while traffic is in the “root” VDOM,
ensuring a common security baseline, while more intensive VDOM-specific scans can optionally
occur in the originating or destination VDOM.
© FORTINET
Here, traffic again flows through a single pipe in the “root” VDOM towards the Internet. Traffic
between VDOMs doesn’t need to leave the FortiGate either.
However, traffic doesn’t need to flow through the management VDOM either. Inter-VDOM links
between VDOMs allow more direct communication.
Like the previous example, inspection could be done by either the “root” or original VDOM, depending
on your requirements.
© FORTINET
Due to the number of inter-VDOM links, this example is the most complex, requiring the most routes
and firewall policies. Troubleshooting meshed VDOMs can also be more time-consuming.
However, meshed VDOMs also provide the most flexibility. For large businesses, inter-VDOM
communication may also be required, and inter-VDOM traffic performance may be better due to a
shorter processing path which bypasses the management VDOM.
© FORTINET
This a review of what we covered: VLANs, VDOMs, Inter-VDOM links and VDOM topologies.

FGT2 12 Virtual Domains

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FGT2 12 Virtual Domains

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT  Virtual Domains

(slide contains animation)

(slide contains animations)

This is another example.

You might also like