Fortinet Virtual (VDOM) Authentication

FortiOS VDOM (Virtual Domain) is a feature of Fortinet's FortiGate firewall that allows the creation of multiple virtual instances of a single physical FortiGate device. Each VDOM can have its own security policies, NAT rules, and configurations, allowing for tailored security measures for different users. Administrators can allocate specific resources (CPU, memory, and bandwidth) to each VDOM to ensure proper usage and performance isolation.

VDOM mode allows the creation of multiple virtual instances within a single FortiGate unit. A normal FortiGate unit operates as a single entity with one management context and one set of security policies, routing configurations, and firewall rules. Each VDOM acts as an independent virtual firewall with its own configurations, policies, and resources.

When the VDOMs are configured with different modes (split/Multiple), the scan report includes the configuration information and the associated VDOM profile name.

The following is an example to show if the host is configured as split or multi-VDOM.

User privileges to access the settings for all VDOMs

An account profile (Accprofile) with a super_admin user role has the privilege to access the global settings and the settings for all VDOMs. The user must have super_admin access to perform the PC scans. 

Accprofiles can be created using the following commands:

1. config system accprofile
2. edit <accprofile_name>
3. set <permissions>

For example

1. config system accprofile
2. edit test
3. set system-execute-ssh

After authentication, shell setup is performed by executing the config global command.

Now, you can access:

• Global settings by executing the command directly, For example,  show full-configuration system admin.
   
• VDOM setting by executing the command sudo <vdom_name> <command>. For example, sudo root shows full-configuration vpn setting.

If the setting is VDOM specific, you can view all the settings present across all VDOMs. For example,  

<K>fortios.config_user.auth-lockout-threshold</K>
<V>config vdom root|:|config user setting|:|set auth-lockout-threshold 3</V>
<V>config vdom FG_TRAFFIC|:|config user setting|:|set auth-lockout-threshold 3</V>

If the setting is global, you can fetch it from the global config. For example, 

<K>fortios.minimum-length</K>
<V>config system password-policy|:|set minimum-length 8</V>

Perform the following steps for the Fortinet VDOM instance scan.

1. Create a User using Command Line Interface or FortiGate User Interface
    
2. Create an authentication record

Create a User using Command Line Interface or FortiGate User Interface

A new user can be created using CLI or FortiGate User Interface

1. Steps to create a user using Command Line Interface (CLI) using the following commands: For example
   1. Config global
   2. Config system admin
   3. edit <user_name>
   4. set password <password>
   5. set vdom <>vdom_name>
   6. set accprofile <accprofile_name>
   
   For example
   1. config global
   2. config system admin
   3. edit test_user
   4. set password *******
   5. set accprofile super_admin
   6. set vdom root
       
2. Steps to create a user using FortiGate User Interface
   1. Log in to Fortigate VM64.
   2. Go to Global.
   3. Under Global select Administrators.
   4. Enter the Username, Password and Confirm Password.
   5. Select the Administrator Profile and Virtual Domains.
   6. Click OK.
      
      

Create an authentication record

Perform the following steps to create an authentication record to scan the hosts configured with different VDOM modes.

1. Go to Scans > Authentication > New > Operating Systems > Unix
   
   
    
2. Enter the Username and Password of administrative access and select FortigateOS vdom (PC) from the target type list
   
   
    
3. Click Create.