FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 32 - Virtual Domains > What's new in FortiOS 5.4

What's new in FortiOS 5.4

The following new features have been added for Virtual Domains (VDOMs) in FortiOS 5.4:

Stackable VDOM licenses

VDOM licenses are now stackable, allowing you to buy additional licenses and stack them on top existing licenses to increase the number of VDOMs you can have.

Support execution of global CLI commands from within VDOMs

A new CLI command, sudo, allows the running of global commands from within the vdom context of the CLI.This means that the user no longer has to:

  1. exit from the VDOM
  2. enter global
  3. run the command
  4. return to the previous VDOM

The syntax for the command is:

sudo {global | vdom-name} {diagnose | execute | show | get}

These commands will only work if the user already has permissions to run the command. Unlike the the sudo command in some other operating systems like Linux, this command does not allow the user to run programs with the privileges of another user.

GUI features can now be enabled and disabled per VDOM

When VDOMs are enabled, most of the items in the Features section of the menu are moved to a similar menu section within the VDOM menu and are now customizable on a per VDOM basis. Some items such as IPv6 and Certificates are still configured on a global basis.

From the GUI, you can enable or disable GUI features from System > Feature Select.

Improvements and changes to per-VDOM certificates

The CA and local certificate configuration is now available per-VDOM. When an admin uploads a certificate to a VDOM, it will only be accessible inside that VDOM. When an admin uploads a certificate to global, it will be accessible to all VDOMs and global.

There are factory default certificates such as Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, and Fortinet_Factory, these certificates are moved to per-VDOM and automatically generated when a new VDOM is created.

The Fortinet_Firmware certificate has been removed and all the attributes that use Fortinet_Firmware now use Fortinet_Factory.

CLI Changes

Two new attributes range and source have been added:

range can be global or per-VDOM, if the certificate file is imported from global, it is a global certificate. If the certificate file is imported from a VDOM, it is VDOM certificate.

source can be factory, user or fortiguard:

factory: The factory certificate file with FortiOS version, this includes: Fortinet_CA_SSL, Fortinet_SSL, PositiveSSL_CA, Fortinet_Wifi, Fortinet_Factory.

user: Certificate file imported by the user.

fortiguard: Certificate file imported from FortiGuard.

config certificate local

edit Fortinet_Factory

set range global/vdom

set source factory/user/fortiguard

end

end

 

GUI Changes

Global and per-VDOM certificate configuration includes view details, download, delete, and import certificate.

A Source and a Status columns have been added.

A global icon for Name column when VDOMs are enabled is added to show that the certificate is global.

A new VDOM now has the following default certificates: Fortinet_CA_SSL, Fortinet_Factory, Fortinet_SSL, Fortinet_Wifi, Fortinet_CA, and PositiveSSL_CA. These certificates are created automatically when the VDOM is created and every VDOM will have its own individual versions of these certificates.

The Fortinet_firmware certificate has been removed. All default configurations that formerly used the Fortinet_firmware certificate now use the Fortinet_Factory certificate.

Default root VDOM certificates

Certificates with the same names are also available from the global configuration. These are generated with you turn on VDOMs.

Default global certificates

Adding certificates to VDOMs and to the global configuration

If an administrator adds a certificate to a VDOM the certificate will only be available for that VDOM. If an administrator adds a certificate to the global configuration it will available for all VDOMs.

Adding option for VDOM logs through management VDOM


FortiOS supports the definition of per VDOM FortiAnalyzers. However it is required that each VDOM logs independently to its FortiAnalyzer server.

A new option, use-management-vdom, has been added to the CLI.

config vdom

edit xxx

config log fortianalyzer override-setting

set use-management-vdom enable/disable

end

end

end

 

If this option is enabled, source-ip will become hidden and when FortiGate sends logs to FortiAnalyzer, it uses management vdom ip setting as source ip. Also if IPsec is enabled, the tunnel is created in management vdom and source ip belongs to management vdom.