Security Fabric

Expand all | Collapse all

Add a multi VDOM FortiGate to my security

  • 1.  Add a multi VDOM FortiGate to my security

    Posted 10 days ago
    Hello All,

    I want to know if is it possible to add a Fortigate with multi VDOM into my Security Fabric?
    I thought it was possible to do it with FortiOS 6.4 but I still can't do itt


  • 2.  RE: Add a multi VDOM FortiGate to my security

    Posted 10 days ago
    Use split-VDOM in v6.4:

    config system global
    (global) # set vdom-mode
    no-vdom Disable split/multiple VDOMs mode.
    split-vdom Enable split VDOMs mode.
    multi-vdom Enable multiple VDOMs mode.

    ------------------------------
    Faridul
    ------------------------------



  • 3.  RE: Add a multi VDOM FortiGate to my security

    Posted 9 days ago
    Can someone explain what is the use case for the split VDOM? If I have a limit of one VDOM for traffic it isn't easier just to run standalone mode?


  • 4.  RE: Add a multi VDOM FortiGate to my security

    Posted 9 days ago
    Multi-VDOM is primarily for service providers, mssps, or certain enterprises that want true separation of traffic. It is a rough equivalent of VRF (virtual routing and forwarding) in Forti world. It provides a virtual route table per vdom, per vdom firewall policies / objects / etc. 

    You connect vdom virtual interfaces to the rest of your network by way of vlan tagging across a trunk, as well as create IPSEC aggregation interfaces bound to a specific VDOM. E.g. a single firewall can be the vpn aggregation for 10 customers, each having their own unique IPSEC target, and each one having their traffic flow only into a given vdom, providing traffic segmentation at L2 and L3 within the firewall. 

    Its a feature most good firewalls / routers / switches provide, the underlying technology is essentially VRF / VRF lite, a technology often coupled with MPLS to provide L3VPN separation of traffic for service providers. 



  • 5.  RE: Add a multi VDOM FortiGate to my security

    Posted 9 days ago
    Multi VDOM is clear, I asked for split VDOM. For me it make sense only when you own the hardware and you rent/sell VDOM as a service. Of course both parties accept there is no way to add another VDOM in the setup...but I'm still not convinced


  • 6.  RE: Add a multi VDOM FortiGate to my security

    Posted 8 days ago
    Ah yes, I saw Multi in OPs subject, didn't see your question immediately.

    Split-vdom is a specialized mode to just separate mgmt traffic into VDOM for OOB access, and a forward traffic vdom for traffic mgmt.
    I would probably use multi-vdom in any case, but this is meant to be a simple 2 vdom configuration to separate mgmt of the Firewall from traffic forwarding mgmt. 

    Its essentially an RBAC role applied depending on which vdom you are in. The second link below shows you what you can configure while in the root vdom (mgmt) vs the traffic vdom. 

    https://docs.fortinet.com/document/fortigate/6.2.0/new-features/963030/split-task-vdom-mode
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/758820/split-task-vdom-mode

    Use case is limited, because you could do the same with RBAC in multi-vdom mode w/o the vdom limitation of just 2 vdoms.


  • 7.  RE: Add a multi VDOM FortiGate to my security

    Posted 8 days ago
    Thanks for your answer. That's what I was looking for - the confirmation the use case is quite low comparing to multiVDOM


  • 8.  RE: Add a multi VDOM FortiGate to my security

    Posted 8 days ago
    I'll second this request.  I understand VDOMs and of course multiple VDOMs but I've not heard of split VDOMs, so would love to understand their function and a use case where it would be used.


  • 9.  RE: Add a multi VDOM FortiGate to my security

    Posted 7 days ago
    Hello All and thank you for your contribution.
    By reading the comments and related articles I realize that the Security Fabric still does not support devices on which multi-vdom is implemented (more than 2 vdom).
    I continue to wait until a release allows it.