Fortinet fortigate-200a Betriebsanweisung

FortiGate virtual domains provide multiple logical firewalls and routers in a single 
FortiGate unit. Using virtual domains, one FortiGate unit can provide exclusive firewall 
and routing services to multiple networks so that traffic from each network is 
effectively separated from every other network. 

You can develop and manage interfaces, VLAN subinterfaces, zones, firewall policies, 
routing, and VPN configuration for each virtual domain separately. For these 
configuration settings, each virtual domain is functionally similar to a single FortiGate 
unit. This separation simplifies configuration because you do not have to manage as 
many routes or firewall policies at one time.

When a packet enters a virtual domain on the FortiGate unit, it is confined to that 
virtual domain. In a given domain, you can only create firewall policies for connections 
between VLAN subinterfaces or zones in the virtual domain. Packets never cross the 
virtual domain border.

The remainder of FortiGate functionality is shared between virtual domains. This 
means that there is one IPS configuration, one antivirus configuration, one web filter 
configuration, one protection profile configuration, and so on shared by all virtual 
domains. As well, virtual domains share firmware versions, antivirus and attack 
databases, and user databases. For a complete list of shared configuration settings, 
see 

Virtual domains are functionally similar in NAT/Route and in Transparent mode. In 
both cases interfaces, VLAN subinterfaces, zones, firewall policies, routing, and VPN 
configurations are exclusive to each virtual domain and other configuration settings 
are shared. A major difference between NAT/Route and Transparent mode is that in 
Transparent mode, interfaces, and VLAN interfaces do not have IP addresses and 
routing is much simpler.

The FortiGate unit supports 2 virtual domains: root and one addition virtual domain.

This chapter describes:

•

•

•