FortiGate: Why Series? Virtual Domains (VDOMs)
HTML-код
- Опубликовано: 5 ноя 2023
- In this video, I explain what a Virtual Domain is and more importantly, provide some practical use cases on how they are used in the real world sharing my own experience on how they have been used in the 15+ years.
The purpose of the WHY? series is to answer common questions and explain why you need to use a certain technology. It's not designed to be highly technical. Other videos will follow to show how to configure the topic.
// Timestamps //
00:00 - Video Introduction / Why Series!
01:00 - VDOMS by default (Normal Topology)
02:09 - VDOM Explained
03:01 - Topology Example 1 (Splitting the Firewall In Half)
04:36 - Topology Example 2 (WAN VDOM & Customer VDOM's)
05:23 - Topology Example 3 (WAN DOM, Enterprise VDOM & OT VDOM)
06:34 - Topology Example 4 (ISP/MSSP Firewall As a Service Platform)
07:42 - Video Wrap UP & Model VDOM Support
// Chris SOCIAL //
/ chris-eddisford-5b676462
// Keywords //
Fortinet
Fortinet Training
Fortinet Virtual Domains (VDOMs)
Fortinet NSE
FortiGate
FortiGate How To?
Fortinet NSE4
Fortinet FCP
// HashTags //
#cybersecurity
#networking
#fortinet
Good video mate
Thanks 👍
Appreicate you putting the time in for this content. Just a suggestion, but one area you might like to cover is log/reporting. I find the fortinet can be confusing looking for particular traffic and knowing what logs (utm/all) to have on or off. Any using this data to troubleshoot issues. Again ... well done
Great suggestion! ill add that to the list!
Awesome thanks :) - Good video
Glad you liked it! What else would you like to see?
@@FortiBytes I really like the NAC one - people (me included) get confused about When to use FortiAuthenticator, and when to sell FortiNAC (Pros and Cons) main use case is LAN/WLAN 802.1x and the handling of guests. Fortiswitches are looking good, but most customers have Hardware already there they'd like to leverage. Sidenode: Does it make sense to you (recent CVE's etc) that you'd seperate the SSLVPN Interface on its own vdom ? - Heard something about that on Reddit
I’ll have a NAC-F (FortiOS) version video soon I’m just waiting on some new switches to make it more vendor neutral. In terms of ssl vpn on a separate vdom that’s not something I have seen in production but it does sound interesting. I have seen virtual IPs being used to point towards a loopback interface for ssl vpn that way more granular firewall policy’s can be applied and ztna tags. I think consultants and customers are trying to find ways of limiting making gates publicly accessible basically it’s impossible to achieve when you have remote vpn users but the above method certainly helps! + it’s another Forticlient/EMS sale!
In the Blue VDOM example, is each customer getting assigned a different WAN IP per ISP? Is the business model where a provider orders large links from several ISPs and sells FW as a service to multiple customers via seperate links? Sorry, I come from a more legacy background and I'm having trouble wrapping my head around why SPs are doing this.
Yes in most cases each customer would be a assigned a IP or IP Block and then on the FortiGate a "IP Pool" is assigned to ensure each customer NAT's out of a specfic IP range (So they are identifiable)
The buisness model can be exactly as you described its purely due to scale instead of having thousands of smaller FortiGates why not have a "couple" of larger ones and just split the devices out like pieces of cakes, licencing costs are also per box also. Its also quite common for the customer to have have no "on-prem" firewall at all they are offten linked up to the larger devices via routing (VPLS/MPLS).
Another + is because each "customer" has there own VDOM so moving them around the shared platform to potentially other FortiGate devices is relatively straight forward.
Do you recommend to use for example three VDOMS for Internet, DMZ and Internal network with Inter-VLAN-Routing? So based on network side?
Yes I think that is a good topology. Keeps everything properly segmented from a routing and administration prospective. Just make sure you read up on inter vdom routing on a per model basis if I remembered correctly it’s not always hardware accelerated.
@@FortiBytes Oh that would be on a 3000f, I guess it will be hardware accelerated.
Lovely devices - docs.fortinet.com/document/fortigate/7.4.1/hardware-acceleration/851990/configuring-inter-vdom-link-acceleration-with-np6-processors
Is OT short for IoT network?
I'm afraid not!
IoT comprises of devices such as refrigerators, cameras, and washing machines that are now internet-connected, frequently operating on Linux and posing potential security risks as attack vectors.
On the other hand, OT, or Operational Technology, encompasses a broader spectrum, often involving production environments and critical infrastructure like power plants. Protecting OT is crucial, with the unique challenge that any disruption can halt a production line, incurring significant financial losses. The networking and communication dynamics in OT differ from those in IT.
For instance, my experience involves extensive work in operational technology within manufacturing environments, such as car production or packaging plants. Traditionally, these devices operated offline, but there's a growing trend, encouraged by vendors, to connect them to networks. However, a significant drawback is their lack of robust security measures, often running outdated operating systems that are challenging to patch without causing downtime.
Ill probally do a OT focused video and perhaps bring on some guests onto the channel.
@@FortiBytes Thank you!!! This is a nearly exact description of something I've been very concerned about and trying to solve for some time now!
If I can help let me know.
@@FortiBytes, much appreciated! Its more of a people & process change problem than a technical one.
ah layer 8 issue good luck!@@80211WiGuy