Virtual Domains (VDOMs)
VDOMs can provide separate firewall policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network or organization. This section provides a list of best practices for configuring VDOMs.
Per-VDOM resource settings
While Global resources apply to resources shared by the whole FortiGate unit, per-VDOM resources are specific to only one Virtual Domain.
By default all the per-VDOM resource settings are set to no limits. This means that any single VDOM can use up all the resources of the entire FortiGate unit if it needs to do so. This would starve the other VDOMs for resources to the point where they would be unable to function. For this reason, it is recommended that you set some maximums on resources that are most vital to your customers.
Virtual domains in NAT mode
Once you have enabled virtual domains and created one or more VDOMs, you need to configure them. It is recommended that you perform the following tasks in the order given (while you may not require all for your network topology):
- Change the management virtual domain.
- Configure FortiGate interfaces for your VDOMs in NAT mode.
- Configure VDOM routing.
- Configure security policies for VDOMs in NAT mode.
- Configure UTM profiles for VDOMs in NAT mode.
- Test the configuration.
Virtual clustering
If you decide to disable override for clurstering, as a result of persistent renegotiating, you should disable it for both cluster units.