VDOM Lab:

Management Subnet 192.168.100.0/24

FW1 Management IP Address 192.168.100.200
Root VDOM WAN Subnet 192.168.1.0/24
Root VDOM LAN Subnet 192.168.11.0/24
Root VDOM WAN Gateway 192.168.1.254
Root VDOM LAN Gateway 192.168.11.254
HR VDOM WAN Subnet 192.168.2.0/24
HR VDOM LAN Subnet 192.168.22.0/24
HR VDOM WAN Gateway 192.168.2.254
HR VDOM LAN Gateway 192.168.22.254
SALE VDOM WAN Subnet 192.168.3.0/24
SALE VDOM LAN Subnet 192.168.33.0/24
SALE VDOM WAN Gateway 192.168.3.254
SALE VDOM LAN Gateway 192.168.33.254
Main Internet Subnet 172.29.129.0/24
Root-PC IP Address 192.168.11.1
HR-PC IP Address 192.168.22.1
SALE-PC IP address 192.168.33.1

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Basic Configuration:
Let’s configure FortiGate Firewall hostname and configure Management Interface.
Hostname
FortiGate-VM64-KVM # config system global
FortiGate-VM64-KVM (global) # set hostname FW1
FortiGate-VM64-KVM (global) # end

Management Interface
FW1 # config system interface
FW1 (interface) # edit port7
FW1 (port7) # set mode static
FW1 (port7) # set ip 192.168.100.200/24
FW1 (port7) # set allowaccess https http ping ssh
FW1 (port7) # end

Enable VDOM:
Certain FortiGate models has no GUI to enabling virtual domains option in the System
Information widget. Enter the following command in the CLI Console to enable VDOM. Enter y
when you are asked if you want to continue.
Enable VDOM
FW1 (global) # config system global
FW1 (global) # set vdom-mode multi-vdom
FW1 (global) # end

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Create VDOMS:
Make sure that Global is selected from dropdown menu located in the top. This allows you to
make changes to the global configuration.

Go to System > VDOM and create two VDOMs: VDOM HR and VDOM Sale. In my case, the
NGFW Mode is set to Profiled-based for VDOMs.

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Go to System > VDOM two new VDOMs are created HR and SALE while root is default.

Configuring Root VDOM for FortiGate Management:

Go to Network > Interfaces. By default, all interfaces are in the root VDOM. Edit the interface
you wish to use to manage the FortiGate in my case port7 is mgmt. and Set Administrative
Access to HTTP, HTTPS, PING and SSH.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Assigning Interfaces to VDOMs:
Go to Network > Interfaces and edit an interface in my case port1, Set Virtual Domain to root
and Role to WAN. set Addressing mode to Manual and set IP/Network Mask to that IP address.

To assign an interface for the Root internal network, go to Network > Interfaces and edit the
interface in my case Port4. Set Virtual Domain to root and Role to LAN. Set Addressing Mode to
Manual, assign an IP/Network Mask to the interface in my case,192.168.11.254/255.255.255.0).

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Repeat the above steps to assign interfaces to VDOM HR and Sale.

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717
Creating Per-VDOM Administrators:
To create a per-VDOM administrator for HR, go to System > Administrators and select Create
New > Administrator. Enter a Username and set Type to Local User. Enter and confirm a
Password. Set Administrator Profile to prof_admin. Remove the root VDOM from the Virtual
Domains list and add HR.

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Repeat the above steps to create a per-VDOM administrator for Sale. To create a per-VDOM
administrator for Sale, go to System > Administrators and select Create New > Administrator.
Enter a Username and set Type to Local User. Enter and confirm a Password. Set Administrator
Profile to prof_admin. Remove the root VDOM from the Virtual Domains list and add Sale.

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Configuring Root VDOMs:
Access Root using the dropdown menu located in the top-left corner. To add a static route, go
to Network > Static Routes and select Create New. Set Destination to Subnet and leave the
destination IP address set to 0.0.0.0/0.0.0.0. Set Gateway to the IP address provided by your ISP
and Interface to the Internet-facing interface.

Configure Root Policy:

To create a new policy, go to Policy & Objects > Firewall Policy and select Create New. Set the
Incoming Interface to Root-LAN port4 and set the Outgoing Interface to Root-WAN Port1.

10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Configuring HR VDOMs:
Access HR using the dropdown menu located in the top-left corner. To add a static route, go to
Network > Static Routes and select Create New. Set Destination to Subnet and leave the
destination IP address set to 0.0.0.0/0.0.0.0. Set Gateway to the IP address provided by your ISP
and Interface to the Internet-facing interface.

Configure HR Policy:
To create a new policy, go to Policy & Objects > Firewall Policy and select Create New. Set the
Incoming Interface to HR-LAN port5 and set the Outgoing Interface to HR-WAN Port2.

11 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Configuring Sale VDOMs:
Repeat the above steps to configure Sale. Access Sale using the dropdown menu located in the
top-left corner. To add a static route, go to Network > Static Routes and select Create New. Set
Destination to Subnet and leave the destination IP address set to 0.0.0.0/0.0.0.0. Set Gateway
to the IP address provided by your ISP and Interface to the Internet-facing interface.

Configure Sale Policy:

To create a new policy, go to Policy & Objects > Firewall Policy and select Create New. Set the
Incoming Interface to Sale-LAN port6 and set the Outgoing Interface to Sale-WAN Port3.

12 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Root-PC Configuration & Testing:

13 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Choose Root VDOM from dropdown, navigate to Log & Report > Forward Traffic.

Navigate to Dashboard>Network > Routing it will only show Root VDOM Routes and
Management.

14 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

HR-PC Configuration & Testing:

15 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Navigate to Dashboard>Network > Routing it will only show HR VDOM Routes.

16 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

SALE-PC Configuration & Testing:

17 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717

Navigate to Dashboard>Network > Routing it will only show SALE VDOM Routes.

18 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com ,Mobile: 00966564303717