VDOM configuration

来源 https://cookbook.fortinet.com/vdom-configuration/

 

This example illustrates how to use VDOMs to host two FortiOS instances on a single FortiGate unit.

Virtual Domains (VDOMs) can be used to divide a single FortiGate unit into two or more virtual instances of FortiOS that function as independent FortiGate units. This example simulates an ISP that provides Company A and Company B with distinct Internet services. Each company has its own VDOMIP address, and internal network.

 Watch the video

Find this recipe for other FortiOS versions:
5.2 | 5.4 | 6.0

1. Switching to VDOM mode and creating two VDOMs

Go to System > Dashboard > Status.

In the System Information widget, find Virtual Domain and select Enable.

You will be required to re-login after enabling Virtual Domain due to the GUI menu options changing.

Certain FortiGate models will not show the Virtual Domain option in the System Information widget. In order to enable Virtual Domains for these models, the following CLIcommand is required:

config system global

 set vdom-admin enable

 end

Enter y when you are asked if you want to continue. You will be required to re-login after enabling Virtual Domain due to the GUI menu options changing.

  

Go to Global > VDOM > VDOM.

Create two VDOMS: VDOM-A and VDOM-B. Leave both VDOMs as Enabled, with Operation Mode set to NAT.

Note: In version 5.2.3, no choice to enable the VDOMS will be available, as they will be automatically enabled.

2. Assigning interfaces to each VDOM

Go to Global > Network > Interfaces.

Edit internal1 and add it to VDOM-A. Set Addressing Mode to Manualand assign an IP/Network Mask to the interface (in the example, 192.168.91.1/255.255.255.0).

  
Edit internal2 and add it to VDOM-A. Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.92.1/255.255.255.0), and set Administrative Access to HTTPSPING, and SSH. Enable DHCP Server.  
Edit internal3 and add it to VDOM-B. Set Addressing Mode to Manualand assign an IP/Network Mask to the interface (in the example, 192.168.93.1/255.255.255.0).  
Edit internal4 and add it to VDOM-B. Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example, 192.168.94.1/255.255.255.0), and set Administrative Access to HTTPS, PING, and SSH. Enable DHCP Server.  

3. Creating administrators for each VDOM

Go to Global > Admin > Administrators.

Create an administrator for VDOM-A, called a-admin. Set Type to Regular, enter and confirm a password, set Administrator Profile to prof_admin, and set Virtual Domain to VDOM-A.

Make sure to remove the root VDOM from the Virtual Domainlist.

  

Create an administrator for VDOM-B, called b-admin. Set Type to Regular, enter and confirm a password, set Administrator Profile to prof_admin, and set Virtual Domain to VDOM-B.

Make sure to remove the root VDOM from the Virtual Domainlist.

4. Creating a basic configuration for VDOM-A

Go to Virtual Domains > VDOM-A > System > Network > Routing, to access Static Routes options. (Note: In FortiOS 5.2.4 and up the path is Virtual Domains > VDOM-A > Router > Static > Static Routes.)

Click Create New to create a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0, set Device to internal1, and set Gateway to the IP of the gateway router.

  

Connect a PC to port 2. Using HTTPS protocol, browse to the IP set for internal2 and log into VDOM-A using the a-admin account (in the example, https://192.168.92.1).

Go to Policy & Objects > Policy > IPv4.

Create a policy to allow Internet access. Set Incoming Interface to internal2 and Outgoing Interfaceto internal1. Ensure NAT is turned ON.

Set Source Address to all, Destination Address to all, and Service to ALL.

5. Creating a basic configuration for VDOM-B

Go to Virtual Domains > VDOM-B > System > Network > Routing, to access Static Routes options.(Note: In FortiOS 5.2.4 and up the path is Virtual Domains > VDOM-B > Router > Static > Static Routes.)

Click Create New to create a default route for the VDOM. Set Destination IP/Mask to 0.0.0.0/0.0.0.0, set Device to internal3, and set Gateway to the IP of the gateway router.

  

Connect a PC to port 4. Using HTTPS protocol, browse to the IP set for internal4 and log into VDOM-B using the b-admin account (in the example, https://192.168.94.1).

Go to Policy & Objects > Policy > IPv4.

Create a policy to allow Internet access. Set Incoming Interface to internal4 and Outgoing Interfaceto internal3. Ensure NAT is turned ON.

Set Source Address to all, Destination Address to all, and Service to ALL.

6. Connecting the gateway router
Connect port 1 and port 3 of the FortiGate unit to the gateway router to allow Internet traffic to flow.  

7. Results

Connect to the Internet from the Company A and Company B networks and then log into the FortiGate unit.

Go to Virtual Domains and select VDOM-A.

Go to Policy & Objects > Monitor > Policy Monitor to view the sessions being processed on VDOM-A.

  

Go to Virtual Domains and select VDOM-B.

Go to Policy & Objects > Monitor > Policy Monitor to view the sessions being processed on VDOM-B.

[download-attachments]

For further reading, check out Virtual Domainsin the FortiOS 5.2 Handbook.

==================== End

VDOM configuration的更多相关文章

  1. PhpStorm和WAMP配置调试参数,问题描述Error. Interpreter is not specified or invalid. Press “Fix” to edit your project configuration.

    PhpStorm和WAMP配置调试参数 问题描述: Error. Interpreter is not specified or invalid. Press “Fix” to edit your p ...

  2. Apache2.4:AH01630 client denied by server configuration

    问题说明:Apache服务总共有4个,是为了防止单点故障和负载均衡,负载均衡控制由局方的F5提供. 访问的内容在NAS存储上,现象是直接访问每个apache的服务内容都是没有问题,但是从负载地址过来的 ...

  3. Fedora 22中的Locale and Keyboard Configuration

    Introduction The system locale specifies the language settings of system services and user interface ...

  4. ABP源码分析四:Configuration

    核心模块的配置 Configuration是ABP中设计比较巧妙的地方.其通过AbpStartupConfiguration,Castle的依赖注入,Dictionary对象和扩展方法很巧妙的实现了配 ...

  5. External Configuration Store Pattern 外部配置存储模式

    Move configuration information out of the application deployment package to a centralized location. ...

  6. SCVMM中Clone虚拟机失败显示Unsupported Cluster Configuration状态

    在SCVMM进行虚拟机的Clone,虽然失败了,但是Clone出虚拟机却显示在SCVMM控制台的虚拟机的列表中,并且状态是Unsupported Cluster Configuration.无法修复, ...

  7. commons configuration管理项目的配置文件

    Commons Confifutation commons configuration可以很方便的访问配置文件和xml文件中的的内容.Commons Configuration 是为了提供对属性文件. ...

  8. Elasticsearch Configuration 中文版

    ##################### Elasticsearch Configuration Example ##################### # This file contains ...

  9. Spark 官方文档(4)——Configuration配置

    Spark可以通过三种方式配置系统: 通过SparkConf对象, 或者Java系统属性配置Spark的应用参数 通过每个节点上的conf/spark-env.sh脚本为每台机器配置环境变量 通过lo ...

随机推荐

  1. 自动化jenkins报:ModuleNotFoundError: No module named 'common'

    直接执行脚本是没有问题,报如下错误: 你已经在run.py脚本加路径了为什么还会报这个错呢,就是你加的路径,应该在所有的包上面,才不会报这个错,如下: 注:以下是我的解决方法仅作参考.如果我的发表的内 ...

  2. 年薪30W的软件测试“老司机”工作经验

    这几天,新入职的小MM提议“老司机”们把自己这些年的软件测试工作经验跟大家分享一下,让新同学学习学习,利用空闲时间我整理了一些,可能不全,勉强看看,这也算是对自己这些年的工作总结. 测试阶段划分 1. ...

  3. GoLang入门(一)

    1.Go语言的简述 Go语言可能大家对它并不是很了解,因为它相对其他语言来说实在是太年轻了,从创建到现在仅仅十年,09年,谷歌团队初设该想法,到实现也就是10年时间,对于go语言,它不是万能的,每种语 ...

  4. eclipse—Maven项目打包成exe

    1.下载打包工具j2ewiz  友情连接:https://pan.baidu.com/s/1Rcoqix5QcrJVI1of9h7qbQ提取码:vqn1 2.选中想要打包的文件,右击—Export 按 ...

  5. Python构建web应用(进阶版)->对网页HTML优化逻辑显示

    本篇是承接上一篇web应用(入门级)的内容往下顺延的,阅读后将会了解HTML逻辑显示优化,如下图所示,从杂乱无章的日志文件到一个整齐的列表显示. —————————————————————————— ...

  6. 戴尔win10重新安装win7系统

    戴尔v5468电脑win10重装回win7系统 首先是公司需要用到ie8来执行公司的项目维护,都是很早之前的项目了,因为是对接政府相关的业务,不怎么有把握对项目进行稳定更新,所以我就为这个ie8操碎了 ...

  7. 关于React面试题汇总

    1.redux中间件 中间件提供第三方插件的模式,自定义拦截 action -> reducer 的过程.变为 action -> middlewares -> reducer .这 ...

  8. iframe子页面position的fixed

    前言: 首先说一说我昨天天的苦逼经历.中午吃饭时一同事跟我说,他做的项目嵌套iframe后,子页面的position设置fixed失效了. 经过反复询问,得知他用了两层iframe,再加上最外的父页面 ...

  9. Redis学习(一):CentOS下redis安装和部署

    1.基础知识  redis是用C语言开发的一个开源的高性能键值对(key-value)数据库.它通过提供多种键值数据类型来适应不同场景下的存储需求,目前为止redis支持的键值数据类型如下字符串.列表 ...

  10. Xcode中的文件类型

    文件类型 Xcode中的文件类型,总共4种类型: 1 普通文件(File) 2 Group(在Xcode中就是黄色的文件夹) 3 Folder(在Xcode中就是蓝色的文件夹) 4 Framework ...