BENEFITS OF VIRTUAL DOMAINS
Easier administration
VDOMs provide separate security domains that allow separate zones, user authentication, firewall
policies, routing, and VPN configurations. VDOMs separate security domains and simplify
administration of complex configurations- you do not have to manage as many settings at one
time.
By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the unit´s
physical interfaces, modem, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN
settings.
Also, you can optionally assign an administrator account restricted to one VDOM. If the VDOM is
created to serve an organization, this feature enables the organization to manage its own
configuration.
In order to connect to a VDOM, an admin must log in using an interface belonging to that VDOM.
This allows for proper authentication and restricts that admin´s access to a single VDOM.
Each physical FortiGate unit requires a fortiGuard license to acces security updates. VDOMs do not
require any additional FortiGuard licenses, or updating – all the security updates for all the VDOMs
are performed once per update at the global level. Combined this can be a potentially large money
and time saving feature in your network.
Management systems such as SNMP, logging, alert email, FDN-based updates, and NTP-based time
setting use addresses and routing in the management VDOM to communicate with the network.
They can connect only to network resources that communicate with the management VDOM.
Using a separate VDOM for management traffic, enables easier management of the FortiGate unit
global settings, and VDOM administrators can also manage their VDOMs more easily.
Continued security
When a packet enters a VDOM, it is confined to that VDOM and is subject to any firewall policies
for connections between VLAN subinterfaces or zones in that VDOM, just like those interfaces on a
FortiGate unit without VDOMs enabled.
To travel between VDOMs, a packet must first pass through a firewall policy on a physical
interface. The packet then arrives at another VDOM on that same FortiGate unit, but on a different
interface, where it must pass through another firewall before entering. It doesn´t matter if the
interface is physical or virtual – inter-VDOM packets still require the same security measures as
when passing through physical interfaces.
VDOMs provide an additional level of security because regular administrator accounts are specific
to one VDOM – an administrator resctricted to one VDOM cannot change information on other
VDOMs. Any configuration changes and potential errors will apply only to that VDOM and limit any
�potential down time. Using this concept, you can farther split settings so that the management
domain is only accessible by the super_admin and does not share any settings with the other
VDOMs.
Saving in physical space and power
To increase the number of physical FortiGate units, you need more rack space, cables, and power
to install the new units. You also need to change your network configuration to accommodate the
new physical units. In the future, if you need fewer physical units you are left with expensive
hardware that is idle.
Increasing VDOMs involves no additional hardware, no additional cabling, and very few changes to
existing networking configurations. VDOMs save physical space and power. You are limited only by
the size of the VDOM license you buy and the physical resources on the FortiGate unit.
For example, if you are using one FortiGate 620B unit with 10 VDOMs instead of 10 physical units,
over a year you will save an estimated 18,000 kWh. You could potentially save then times that
amount with a 100 VDOM license.
By default, most FortiGate units support 10 VDOMs. Many FortiGate models support purchasing a
license key to increase the maximum number.
Improving Transparent mode configuration
When VDOMs are not enabled and you put your FortiGate unit into Transparent mode, all the
interfaces on your unit become broadcast interfaces. The problem with this is that there are no
interfaces free to do anything else.
With multiple VDOMs you can have one of them configured in Transparent mode, and the rest in
NAT/Route mode. In this configuration, you have an available transparent mode FortiGate unit you
can drop into your network for troubleshooting, and you also have the standard NAT for
networking.
More flexible MSSP configurations
If you are a managed security and service provider (MSSP), VDOMs are fundamental to your
business. As a service provider you have multiple customers, each with their own needs and
service plans. VDOMs allow you to have a separate configuration for each customer, or group of
customers; with up to 500 VDOMs configured per FortiGate unit on high end models.
Not only does this provide the exact level of service needed by each customer, but administration
of the FortiGate unit is easier as well – you can provide uninterrupted service generally with
immediate changes as required. Most importantly, it allows you to only use the resources that
each customer needs. Inter-VDOM links allow you to customize the level of interaction you need
between each of your customers and your administrators.
