Hot!Enabling VDOM downsides

Author
amorales
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/02 02:27:43
  • Status: online
2021/04/08 09:09:07 (permalink)
0

Enabling VDOM downsides

Hi, I am wandering if there is any downside due to enabling VDOMs in a FortiGate. As far I know, by default all VDOMs could make use of all firewall resources and there is no any limitation except if the admin configure them explicitly, but I just want to confirm if there is some limitations or constraints for enabling VDOMs compared to do not using them.

I want to enable VDOMs to use the root VDOM just for management traffic, and create only one extra VDOM for production traffic. Thanks.
#1

6 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 6055
    • Scores: 404
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Enabling VDOM downsides 2021/04/08 09:26:14 (permalink)
    0
    Downsides? You mention it in resources limits. And you need to carefully think out what interface/port you assign to a vdom since it can only be in one.
     
     
    Now in your request this is done a lot where management is done via one vdom and production in the other. You should also think heavily on how the 2 will talk to internet( do you use emac-vlan, or a dedicated wan-port, or vdom-links, etc...)
     
    And lastly SDWAN is that something you need now or might need later ?
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #2
    amorales
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/02 02:27:43
    • Status: online
    Re: Enabling VDOM downsides 2021/04/09 05:28:52 (permalink)
    0
    Thank you Ken. Yes, I am aware of VDOM configuration and I am keeping in mind how to talk to Internet from the root VDOM.
     
    On the other hand, if I have FortiManager, will the root VDOM also consume an extra license? Thanks.
    #3
    emnoc
    Expert Member
    • Total Posts : 6055
    • Scores: 404
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Enabling VDOM downsides 2021/04/09 07:09:38 (permalink)
    0
    What do you mean extra license? All fortigates comes with up to 10vdom ( disregard the smaller units ) . Some are upgradeable to more vdom. Most none sml-to-medium enterprise models are fixed at 10vdoms. Until you. get into models 1000 or larger, vdoms are limited to 10, larger units have upgrade options.
     
    note: Fortimanager can managed a fgt with 1 ,2 , 3 or 10 vdom, nothing changes from it's perspective as a manager.
     
    FYI; Also Fortimanger has it "adom" limits also and device total managed # of devices but these are primary on the bigger managers.IIRC you can't update adom totals but total number of devices is a license option. Thank of adon as administration domains so you can partition a fmgr to allow admo-1 to managed only fgt#1,#2,#3, and adom2 can only managed fgts,#4,#5,#6
     
     
    Ken Felix 

    PCNSE 
    NSE 
    StrongSwan  
    #4
    lobstercreed
    Platinum Member
    • Total Posts : 393
    • Scores: 45
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Enabling VDOM downsides 2021/04/12 08:47:41 (permalink)
    0
    Ken,
     
    I'm afraid you may be mistaken when you say nothing changes from the FMG perspective with multiple VDOMs.  I have a single HA pair of FGTs that have 3 VDOMs and consume 3 licenses on FMG.  That's also what our SE told me when he sized our FMG licensing.
     
    So yes, Arnaldo, your concern about licensing is valid.  I'd be happy to be proven wrong.  - Daniel
    #5
    Yurisk
    Gold Member
    • Total Posts : 217
    • Scores: 33
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Status: offline
    Re: Enabling VDOM downsides 2021/04/12 09:13:59 (permalink)
    0
    @Ken - what the OP meant was licenses on the FMG side, and as Daniel mentioned already - yes, each additional VDOM on the managed by FMG FGT will use up additional license out of total paid for.
     
    @amorales May be split-vdom - when one VDOM is for management only will not eat up separate license ? Just thinking out loud.
     
    #6
    emnoc
    Expert Member
    • Total Posts : 6055
    • Scores: 404
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Enabling VDOM downsides 2021/04/12 09:23:24 (permalink)
    0
    Okay yes that is correct each vdom is going to consume a license. So you have to determine how many fortigates , how mnay vdoms total and then go with that number and growth.
     
    keep in mind buying add-ons can get to pricey. 
     
    E.g 
     
      add a 10 add-on   10 times,  would cost 2x more than buying a 100 add-on just one time
     
    I would speak to the sales team if are using or planning fmgr to see what discounts you can leverage but YMMV.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #7
    Jump to:
    © 2021 APG vNext Commercial Version 5.5