FortiGate has so-called VDOMs, which are basically FortiOS namespaces (similar to what other vendors call a VRF). They are mostly independent and can even run in different L2/L3 modes.
If you SSH into a device, you're either directly dropped into a VDOM (if set vdom <vdom> is set for the user), or you end up in the special top-level VDOM shell if your account is a global super admin. You can then jump to the special "global" mode using config global or a single VDOM using config vdom edit <name>. The root VDOM is special - by default, it contains the interface carrying the management interface, the global RADIUS configuration and anything that had been configured prior to VDOM setup.
If you do a config backup using SCP, you either get the global config including all VDOMs or a single VDOM config without any of the global config depending on permissions. Backing up the global config might require a user with RW permissions, not sure if this changed in more recent firmware versions.
We want to support both use cases.
Open questions:
- Is there any way to configure a user such that it directly enters global mode? (likely no)
- Does the root VDOM need any special treatment?
- Do all commands work at the "global" level, or do some of them only work on the top level or VDOM level?
config system admin (probably both at global and VDOM level)config system global set enable-scpconfig system console set output [...]diagnose sys ha showcsum/diagnose sys ha checksum showget system status
- Do we want to support the use case of running commands or doing a config backup for a single VDOM using a global user (likely no, until someone specifically requests this feature)
Depending on the results, we're probably going to need VDOM detection, a special flag for VDOM firewalls and a config global block for all CLI commands unless there's some way to convince FortiOS. A workaround for checksum comparison is implemented in #5.
FortiGate has so-called VDOMs, which are basically FortiOS namespaces (similar to what other vendors call a VRF). They are mostly independent and can even run in different L2/L3 modes.
If you SSH into a device, you're either directly dropped into a VDOM (if
set vdom <vdom>is set for the user), or you end up in the special top-level VDOM shell if your account is a global super admin. You can then jump to the special "global" mode usingconfig globalor a single VDOM usingconfig vdomedit <name>. TherootVDOM is special - by default, it contains the interface carrying the management interface, the global RADIUS configuration and anything that had been configured prior to VDOM setup.If you do a config backup using SCP, you either get the global config including all VDOMs or a single VDOM config without any of the global config depending on permissions. Backing up the global config might require a user with RW permissions, not sure if this changed in more recent firmware versions.
We want to support both use cases.
Open questions:
config system admin(probably both at global and VDOM level)config system globalset enable-scpconfig system consoleset output [...]diagnose sys ha showcsum/diagnose sys ha checksum showget system statusDepending on the results, we're probably going to need VDOM detection, a special flag for VDOM firewalls and a
config globalblock for all CLI commands unless there's some way to convince FortiOS. A workaround for checksum comparison is implemented in #5.