You need a port in whatever vdom is configured for managing the device. (Management role assignment, not management interfaces). That’s the interface that the gate will use for fortiguard and other lookups.
@@FortinetGuru have you notice any bugs with Fortimanager with importing Firewalls that already have configs in it. I noticed in my lab that every time I import a already setup HA pair my policies stop working. I’m using 6.4.4 with a trial license I my lab. I’m also using FortiAnalyzer 6.4.4 (trial) and I can’t get my fortigates to communicate with it even though I can’t ping it.
thank you for your efforts my question is about interfaces, i know that he models supprt over 500 vdoms, so how can we manage interfaces (if a vdm needs at least 2 interfaces one for wan and one for lan) , they are gonna be virtual ?
I wouldn't say VRF directly. IT has some of the same benefits (single device with multiple routing tables) But this is almost like taking a physical device and physically breaking it into multiple smaller ones to provide segmentation between clients while also providing clients the ability to administer their policies without having access to items that don't belong to them.
my firewall has 20 vdoms, and i need to check route( who's L3 gw is one of the vdom out of 20) that is in which vdom the route belongs to, so is there any global routing table in root or how can i get to know where the route belongs to which vdom. Thank you in advance for your answer
Hi Mike, great video! I actually have similar question. When I get a request to do the firewall policy, how could I tell the specific source address belongs to which vdom’s route? Thanks.
I have seen lots of engineers create inter VDOM link with root VDOM for Customer VDOM's which is not a recommended way. The best way is to use dot1q tagging and allocate that tagged interface to the customer VDOM
Hi Mike, one doubt in our lab we have 6 different environments for eg., dev, uat, staging etc but tricky part is we need to communicate between these environments dev middleware or portal VMs need to talk with staging VMs, will this VDOM concept helps us in this scenario? we want complete segregation + communication between them, right now we are managing by assigning various vlans for each environment.
how does the interfaces fit into the Vdoms ? If i understand correctly an interface can be in only one VDOM , right ? port1 and port2 belong to Vdom A ; port 2 and port3 to VDOM B . similar to WAn1 and PORT 4 to VDOM C ..etc can you clarify a bit ? thx
it totally depends on your topology, if you want to allocate physical interfaces to the VDOM you can allocate them. My approach is to create the port group on the firewall and then use trunking and allocate each logical interface to the VDOM.
VDOMS come with a single management VDOM. Make sure all your phisical interfaces belong to that management VDOM - default i root and can be changed. Then create sub-interfaces on those physical interfaces. Those sub-interfaces can be given to any VDOM in the configuration.
Hi Mike, new subscriber here. Loving the Fortigate content, really helping with a work deployment and my Fortigate knowledge in general. I'm in a situation where I need to replace a pair of Linux Shorewall firewalls with a pair of Fortigate 300Ds in HA; you mentioned in this video about utilizing VDOMs in firewall migration scenarios, which sounds like it could be a huge help in my project, do you know of any documentation or articles that go into more detail around using VDOMs for migrations?
@@FortinetGuru I really would like to see a video of you using VDOMs to the migration. This sounds like an excellent way to do this. Thanks for all you work.
@@FortinetGuru I've managed Meraki's for 6 years. Yeah the GUI is easy to use but man am I glad to be moving my company over to FortiGates. Meraki is not a true next gen firewall IMO. No SSL/TLS decryption, no IPv6 support, No built in VPN client, the logging is a joke, no vmware virtual appliance, and to top it off, if you stop paying the license they turn into bricks and nothing on the device will function, not even basic routing. It's crazy how much more you have to pay for Meraki and their insanely extensive licensing in comparison to FortiGate too but you get so so so much less.
BUT, if you are using fortilinks, it is a pain in the b*tt and vlan and port config of the FortiSwitch has all to be managed via CLI only, which defeat the purpose of using the Fortinet ecosystem to some degree. If your Fortigate is not using fortilink, using the firewalls interface is ok.
Thanks!
U are one of the best for fortunate trainer,
Can you make video on hardening configuration of fortigate firewall using CLI?
I start to like how fortinet manage the firewall.
Thanks Mike.. This video is still useful in 2022 .. One question what is the relationship or difference between VDOM and ADOM ..
Adom "administrative domain" is on fortimanager. vdom "virtual domain" is on the gate
Brilliant summary. Thanks for this.
Do I need to keep an interface or port in root vdom (say mgmt vdom) for ntp, dns etc?
You need a port in whatever vdom is configured for managing the device. (Management role assignment, not management interfaces). That’s the interface that the gate will use for fortiguard and other lookups.
So multi context mode for ASA just for fortigates.....Can you create the vdom in Fortimanager
Yeah.
@@FortinetGuru have you notice any bugs with Fortimanager with importing Firewalls that already have configs in it. I noticed in my lab that every time I import a already setup HA pair my policies stop working. I’m using 6.4.4 with a trial license I my lab. I’m also using FortiAnalyzer 6.4.4 (trial) and I can’t get my fortigates to communicate with it even though I can’t ping it.
thank you for your efforts
my question is about interfaces, i know that he models supprt over 500 vdoms, so how can we manage interfaces (if a vdm needs at least 2 interfaces one for wan and one for lan) , they are gonna be virtual ?
when you create multiple VDOM you allocate-interface at global level. Yes, you can allocate. There is not any limit for the interface for VDOM.
Hii
from forticlient how i can access branches with fortigate hub and spoke vpn network?
So if I understand correctly, we can consider vdom kind of VRF
I wouldn't say VRF directly. IT has some of the same benefits (single device with multiple routing tables) But this is almost like taking a physical device and physically breaking it into multiple smaller ones to provide segmentation between clients while also providing clients the ability to administer their policies without having access to items that don't belong to them.
Something like Virutal Context in Cisco ASA
I think that the best comparison for VDOMs is with Virtual Contexts in Cisco ASA :)
my firewall has 20 vdoms, and i need to check route( who's L3 gw is one of the vdom out of 20) that is in which vdom the route belongs to, so is there any global routing table in root or how can i get to know where the route belongs to which vdom. Thank you in advance for your answer
The VDOMs are logical separations. As far as everything else is concerned they are separate boxes.
Hi Mike, great video! I actually have similar question. When I get a request to do the firewall policy, how could I tell the specific source address belongs to which vdom’s route? Thanks.
I have seen lots of engineers create inter VDOM link with root VDOM for Customer VDOM's which is not a recommended way. The best way is to use dot1q tagging and allocate that tagged interface to the customer VDOM
There are many ways to skin this cat and they are almost all up to the user and their preference. I use VDOM links quite often without issue.
can you use VRFs without multiple VDOMs?
Yes.
Hi Mike, one doubt in our lab we have 6 different environments for eg., dev, uat, staging etc but tricky part is we need to communicate between these environments dev middleware or portal VMs need to talk with staging VMs, will this VDOM concept helps us in this scenario? we want complete segregation + communication between them, right now we are managing by assigning various vlans for each environment.
how does the interfaces fit into the Vdoms ? If i understand correctly an interface can be in only one VDOM , right ?
port1 and port2 belong to Vdom A ; port 2 and port3 to VDOM B . similar to WAn1 and PORT 4 to VDOM C ..etc can you clarify a bit ? thx
an interface can only belong to a single VDOM. So if you have 1 and 2 assigned to VDOM A then those ports are unavailable to any other VDOMs
it totally depends on your topology, if you want to allocate physical interfaces to the VDOM you can allocate them. My approach is to create the port group on the firewall and then use trunking and allocate each logical interface to the VDOM.
VDOMS come with a single management VDOM. Make sure all your phisical interfaces belong to that management VDOM - default i root and can be changed. Then create sub-interfaces on those physical interfaces. Those sub-interfaces can be given to any VDOM in the configuration.
Hi Mike, new subscriber here. Loving the Fortigate content, really helping with a work deployment and my Fortigate knowledge in general. I'm in a situation where I need to replace a pair of Linux Shorewall firewalls with a pair of Fortigate 300Ds in HA; you mentioned in this video about utilizing VDOMs in firewall migration scenarios, which sounds like it could be a huge help in my project, do you know of any documentation or articles that go into more detail around using VDOMs for migrations?
I have a whiteboard session video that describes the logical and physical design of that deployment.
@@FortinetGuru Ah, Replacing Old ASA, Didn't spot that, will take a look now. Thank you for responding.
Make sure you configure the one device and then build the HA. Extract as much configuration info as you can from old devices.
@@sameerpervaiz3142 I didn't ask about HA, and extracting as much config from the legacy devices is an obvious part of the process.
@@FortinetGuru I really would like to see a video of you using VDOMs to the migration. This sounds like an excellent way to do this. Thanks for all you work.
good info. mate
God forbid one of those Meraki's.... Hysterical, because it is true!
The Merakis are growing on me. As long as you are using Meraki all the way through the stack though.
@@FortinetGuru I've managed Meraki's for 6 years. Yeah the GUI is easy to use but man am I glad to be moving my company over to FortiGates. Meraki is not a true next gen firewall IMO. No SSL/TLS decryption, no IPv6 support, No built in VPN client, the logging is a joke, no vmware virtual appliance, and to top it off, if you stop paying the license they turn into bricks and nothing on the device will function, not even basic routing. It's crazy how much more you have to pay for Meraki and their insanely extensive licensing in comparison to FortiGate too but you get so so so much less.
BUT, if you are using fortilinks, it is a pain in the b*tt and vlan and port config of the FortiSwitch has all to be managed via CLI only, which defeat the purpose of using the Fortinet ecosystem to some degree. If your Fortigate is not using fortilink, using the firewalls interface is ok.