65. Lecture-65:Configure & Verify Virtual Domains (VDOMs).
Another topic is virtual domains. Either. We call them Vdomes. What is VDOM? Virtual domain means virtually you creating domain. And domain is nothing but an area. Like if you divide one room and partition, we call them domain, that you have a separate domain, I have a separate domain. And virtual domain means you are doing this thing virtually. So in FortiGate Firewall, they call them virtual domain either. In shortcut, they call it V domes. So basically, what is the idea basically to separate the firewall virtually in concept, those children who done Cisco SA firewall and 40 gate firewall, paul Alto Firewall, they know the concept. You know, either they have done Cisco and Cisco we know VRF virtual route and forwarding by default, there is only one route. We call them global route and Cisco router. But you can divide CSCO router and VRF separate routes for every customer normally ISP do this one when they have so much customer. So physically this is only one device. But virtually you are creating separate table like blue, orange and green and so on, as much you require. So this is VRF, the same concept. In Cisco SFR wall, we call them security context.
Those children who don’t Cisco SF from me, they know this one. Vidanta Lab security context means virtually we are dividing Cisco SF firewall, like separately. If you create two contexts, it means you divide virtual this firewall virtually into firewall. So it’s become three. One is the main one. Like in this one, global router is already there. Global route showiper out, it will show you. And if you go to specific route, you have to type show IP route VRF green, VRF blue. So here we have also. So physically one devices, but virtually make create two firewall to save money. Maybe for HR a separate firewall. Maybe your manager asks you that I need separate firewall for every department, for HR sales and so on. And you tell them why you are spending much money. The firewall which we have, we can divide them and we can virtually make them. As many firewall you needed, how many you need. He will say only two, three, farewell. You’ll say it’s okay. Virtually we will divide them. The third concept is VLAN. Physically only one switch. But logically we create inside small, small switches like things like this one, which we call them VLAN virtual Local Area Network. Virtually, virtually you divide the switch inside, but physically to only one switch. So you create separate domain. Every villain is a separate broadcast domain. One security context is two and VRF is three.
The same concept we have, we call them N 40 Gate Firewall virtual domain. Either Vdomes. Now there will be global setting from where you can configure all the VRF. So we call that one global route and Cisco SA, we call them Edmund contest. From where you can create and you can enable and you can disable these contents like a super admin. And VLAN we have VLN one where you have all the thing. So here we have a global setting. Now by default there will be an area where you can go from jump to from one place to another place. So in Cisco router we have VLN One, which is the default one and which is always there. VLN one in security contest we have admin contest by default, which is by default there. And Cisco router we have show IP route, global route, which is by default there. Here we have Root, which is by default there by the way, but it’s not visible. But when you enable VDOM, so it will be there. So this is a route which we call them a root and root as Linux is the super user, which can do everything like administrator and window.
So this is the place and user where you can create Vdomes. You can enable Udoms, you can delete Vdomes, you can put the interfaces in V domes. So this is called root. So these three things mean so now you know what is Vdomes, why we are using I already told you. You want a separation, separate division, separate domain, separate management, separate everything. But you want to use only one device, like a partition in room, separate policy, separate everything. We need Vdomes. We need separate control, separate policy for every department we need security contest, we need separate department HR it everything. We have different VLN. Guest is separate VLN, the same concept. We want test firewall to divide them. Now we know the concept now coming to how we can enable Vdomes. Vdomes can be enabled in latest version firewall in every version you can enable them graphically either you can enable them through CLI, but in some model like 40 gate, 60 series, you cannot enable them through GI. You have to enable them only through CLI command line interface.
Okay, this is also done from here we can enable them from here we can enable them graphically. You have to go to system setting and system operation setting. And here you will see virtual domain. In CLI you have to type configure system, global sit, widow mode, multimode. But this CLI command is it will not autocomplete. Normally when we type some command and press table, it will auto complete. But this command is a hidden command. Like in Cisco, when you want to protect iOS, there is a security service, iOS protection Command, which is invisible, you know by table it will not complete it’s. In every firewall, in every system you will see such some command which is not autocomplete, we call them invisible command.
One of them is in FortiGate firewall VDOM. So if you type set in V and press tab it will not complete. They will say there is no such command. So it means you have to manually type VDOM more than it will convert just for protection purpose. So nobody, by mistake, type this command. Okay, this is done. The story that UI and CLI, we can enable them. But when you enable, you will see Global sitting above and under system, you will see Vdome, which is not here now by default you will not see these two things last but not the least it require a license to create a Vdomes you need a firewall with license version otherwise you cannot do practice on this one the 14 days license one. Anyway, I will try to license one device. If it is work, we will do the lab. If it is not, then we will leave it. But anyway, let me go to JNS three and let’s do the lab. Which topology? I will use this my topology. I want to virtually divide this firewall in three different way. Suppose I have HR, I have sales team and I have root, which is the default one? I will put one PC and root. I will put one PC and HR for test purpose and I will put one and sales three port. I will use this one for inside and three port for outside. So everybody will separately go one fur wall but it will look like a separate firewall for everyone three farewell like a but physically is one firewall this is the topology I want to know want to draw so I 123456 I need six switches first, but I will use this demi switches rather than the perfect one. So let me drag ethernet switch, okay? And right click change the symbol to the proper one. We will use this one and let me switch either. Let this put this one and let me change SW. Now right click and duplicate 2345. I think. So. It’s in up 1234-5678 because it was selected. So let me see. One, two, three and four, five. And there should be six. Yeah, I don’t need these. To select and delete. And select, delete.
Okay, so this is for when one, two, three. And this should be we will use them for land purpose. Okay, let me make them here. Okay. And here. And here. And let me put them aligned this way as well. Okay. Six switches is done. Now we need what? We will give them the name anyway. But now I need one. Firewall. In the middle. So let me go to Firewall and 6. 24. Firewall. Let’s see Firewall. Okay, what I need now I need some pieces and one Management as well. So for Management purpose, I will use Net Cloud to connect. So this is my net cloud for management purpose, okay? And let me change the symbol. Change symbol. And let me put any client or something and let me see Mgmt. This is our management interface. And let me connect. This one to port 123456. So let me put save one. Okay? And now on this at least it will on and we will connect. So port one, two, switch one, port. Two two switch. Two port. Three two switch. Three port. Four. Two switch. Four. And this to switch five. And the last six one is to switch six if you are confused. Now let me give them the name. This should be root by default there will be root here. So this is root either root outside, this representing root outside and this one is representing root N. This one will be HR out either inside or outside, whatever you say. And HR n. And this one is suppose it out. And this one is it in.
Now it’s clear. So this one is far out and this far is far N. Now I need some client to test them. So what I need, I need VIP term One, Viperum Two and Viperum Three. Okay. So this should be for inside. Okay. And let me give them name root PC. This one is hRPC and you can consider them more PC. But here I attach only one PC. This is it PC. Okay. And now let’s connect to the switch. Okay. And this should be connected to here. And they should be connected here. Okay. And let me make them okay, now we need a range. But I need one thing more. That how we can connect to outside. Because I have only one cloud and it will be the same. So what I need to do, there is another concept and if I have which is not here, let me see in here. Yeah, open right, open right. You can download new template type here open write this one. What this open write do? They can provide you single IP with different vein like a vein optimized at such type either to divide the vein in different way. So I need to use this one. I need to see if there is something configure on it or not.
So first I need to check this one. So what I need to do, I need to configure if it is not configure. So first we will configure this. The name is open write. Okay, so choose this one. I want to see if it is not connected. Zero interface is assigned to Lane and one is assigned to Lane. Okay, if I not mistaking so let me see one interface, I connect it and let me on this console. Let me start and PC. By default IP is 192 and 68 dot one. So let me go to this one. If it is not configured, we need to configure them. So that’s why I take this PC. So one dot two I give the IP one one okay. And now let me start this one as well. Let’s see right click on this open right? Okay, this is a docker, like a docker which provide you when okay, starting now. First time you need to configure them how many vein you need. So let them on. If it is not there, then we need to configure. I will show you otherwise we have another ways when control l f you say F config so it’s not configure. They see ethernet IP zero. Let me see it was zero. So zero is inside. Okay. And this one is the vein interface. So it’s not configured. Okay, so what I need to do, I need to configure them first. How we can do? I will show you. So let me go to lane. Okay, and default IP is this 119-21-6811 and I assign here one, two so it means I can access this device here 192, 168, 121 so open write is enable and password, I think. So root and root is the password. Yeah. So now I log in here with open, right? I need three interfaces. Why? Because I have three separate so right now I only need three. So what I can do go to interfaces by default there are two, one is lane and one is when I don’t need IPV six. So let me delete IPV six when okay, save and apply the setting so you are not confused. Only two interfaces are there. One is for lane and the other is for vein.
So vein is okay ethernet one is vain, which is the outside but for lane I need such step this one. So what I need to do create a new interface and give them lane one and protocol is static IP. Okay, and create choose here lane okay, because we want to create a lane no, by the way these two are used so I need to choose this one. Okay and create interface. Now it’s asking the IP so 192, 168, two, one suppose subnet mass we will use 24. This is not related to your subject so don’t worry if it is, don’t know, so it’s okay. And what else we need to know we don’t need IPV six and save so my another lane is ready, which is this one but it’s not green. Why? So let’s go to edit. Okay and go to firewall setting and enable for lane it will make them green. So I have created another Len. Now I need two more Len. So click create new and Len three static address interfaces three. Okay and create now it will ask the IP 109, 216831, subnet mask is two five five, okay and save so again it’s not green. Go to edit. We forgot one thing. When you go up firewall setting and make them land and save now we need one more but before one more create new interface len four and make them static IP specify Len ethernet adapter. We already use this one now. Okay and create interface 109, 216841 and subnet mask is this one. We are doing this for all only one small thing by the way, go to firewall setting and specify lane and save but go before there I need to go to lane setting. I just need to check the gateway. So gateway is not required just to double check I have a small doubt save and apply okay so what is this one? Lane is IP is 192. 168. Okay. Land two is two. And LAN three is three. And LAN four is four. IP.
Okay. Just need to double check. Yeah, that’s it. Now coming back. Now you can connect them. No need of this one. Just to configure them. First time. So delete this one and our when device is ready. Connect Zero. I think so. Zero was outside. What was outside? I just need to double check. Now if you can check the interfaces okay, so now you have more interfaces. So ethernet zero is the outside. Okay. This is the outside one, sorry, one is outside and two, three so I need to use 0123 either one, two, three I already have let me use this one. So go to one and choose this one. One and this one is two and this one is three. Okay and now I need a net cloud. So basically, now I have three win. I will show you why I’m doing this whole thing which is not related to here. But so this is internet. Now the main link I will connect this main link to zero interface which is the vein interface of our vein divider. Now double check from when divider are we reach to internetping eight. So maybe I use the wrong interface. Ethernet one. Okay, it’s 1 YD by the way. So this one is going to zero is when interface it’s been edges, I never used them. So that’s why sometime now, let’s see zero is taking IP or not and let me check ping a. If it is not working, we have another solution as well by the way one and this one is ethernet zero. What was the vein interface when we checked them? Okay it’s down. It was zero or one? I am not sure.
Let’s try both. One of them will work. So let me try them with one with zero this time. Okay. Sorry. Fconfig zero down and make them up. Ifconfigure so network is not reachable. I just need to log in again to this device. Let me go to this one. Maybe we done something wrong. Why I delete this one? Go to one and give them IP with the range one range so let me remove we need this thing. That’s why I’m doing otherwise we will put router by the way, router is also a solution we can do. That one as well. But I thought if this one is work last time I used them that’s why I was trying to show you by this one. So let me go to 192-1681 dot one one. So it means I’m the wrong one. It’s not one. It should be zero. So I was right zero is the inside and one is when it’s per shore now now if I click here and let’s see now network interfaces so lane is okay, so Lane was one interface. Let’s edit them. Okay. And it’s a DHCP client by the way. It has to get IP automatically. Advanced physical interface. Okay. And firewall sitting it’s okay, get the IP now here 11, 14, 37. Just wasting our time. So if I check now if config okay. And let’s go up. Yes this one. So now if I try ping eight it’s working now.
So basically it just wasted our time and now it’s okay. And let me remove this one. I will put this one for the test purpose. If something goes wrong, we will engage them again. Anyway. Now this last one is zero. It’s here. So keep in mind. Now let me do the IP schema 109, 216-811-4024. This is our Uwen outside network one internet. But this one, this is zero interface. So zero interface. We assign len zero. This one they have a range of 192, 168, one range we just use and connect them. So this is one range. This one they are using two range. You know, we remember we assigned them. And this one is using three range. So this is our IP schema for the interfaces. When interfaces keep in mind this is vein interfaces. Now I need for lane side. So for lane what I will do, let me give them eleven. So one is outside and eleven is inside, two is outside. And here we will assign 22 is inside range and three is outside. And 33 we will assign for inside. So now need to assign this PC from this range. So let me select all these three PC. Go to edit configuration, remove auto. This one. This one, this one and this one. And this one. This hRPC. This one is open. So hRPC range is 22. So make this 22 and 22 and we will assign 100 to the firewall.
And let me put a eight here. Control A, control C and HR is done. Now S root open control V. So root is 1111 and done. Control A, control V and the it is 33 and gateway is 32. There are 100 and done. So these PC are done. If you don’t know the IP, let me put here. So basically we assign here two to hRPC and here we assign two two and here we assign 33. That’s the whole story of division two. Now coming to a firewall. So right click on firewall, go to console. Okay, admin there is no password 123123. And now go to config system interface and edit port number 7123-4567. Sorry, seven port 123-4567 because you are connected to port seven. Set allow set allow access http https TenneT SSH, ping et cetera. And sit mode DHCP and end this what I need to get the IP show system interface question mark. So it will get on port seven IP. Yeah, this one, this is the management interface where I’m connected. This one is ports seven. So I make them DHCP to make them easier rather than to type static IP is up to you. And now type the IP here to log into this firewall admin.
And password is one, two, three, begin. And let me give them name FG and okay. As I told you, by default it require a license. It’s not mentioned here. It will show you here. If we domes is enabled either. If it is support. Let me try. Can we enable Vdomes from here? Control c either. Graphically we can do it as well. If I go to system there is setting. There is an option if it is available in this one or not. Let’s do it by command. I saw weird config system global type this command and type VDOM from VDOM is not showing. Look at V question mark. There is no command starting from VDOM because it’s a hidden command. Do you have to type your own VDOM? Then mode and question mark. Now it will show you. Look at split V dome. Multiview dome and no V dome. You know. So the command was hidden. Now it’s showing. So we need multi V dome. And when I enter, they say that multivedom cannot be enabled with the current Vdome license. It’s giving error means it require a license. There is also from here it should be somewhere here graphical is also here somewhere maybe after license is enabled here so it’s not working. So I need to license this device. So go to anywhere from anywhere I license this device so I have a license. Let me see somewhere if I did not delete them that’s the license file and let me okay, so system is rebooting because we don’t require a license.
Any demo license which you can get for 60 days from 40 gate either you can buy the proper one or you can apply on any device which is licensed one but the one which we are using you cannot do this lab anyway, do all the labs when you reach to Vidanta I will provide you this license because my license topic is finished now I do need the license now. Now you can enable this license as many devices they will just block my license after ten devices. It’s okay just use them and do your lab as soon you can do it. So you do your VDOM lab. Okay, so the system is rebooting so it licensed the device? I hope so it will work when after that then we can configure. So we dom configuration is too easy. We will do in simple way like just like when we create a DNS, we create interfaces, we assign IP the same thing we will do three times the only difficult part was to configure this thing. That’s the issue now and I hope so it worked now because now I will assign one range here, two range here and I will make the gateway this one so I hope so it can work now. So, let’s see so system is still rebooting and it will open as Https now because it’s been licensed now. So let’s see https okay? Yes and go to proceed and admin one, two, three when it’s unlicensed, so then you can use with Http. But when it’s become licensed, then you have to open them with Https. So it’s now open and I hope so everything is baked now public IP is showing in its license. Okay. And after a V Dom, it will show you here and it’s the license. Okay. Now I can increase the CPU and everything. It’s okay now and there is no more 14 days anything. Now let’s do the V domes and also let’s graphically because it was not showing before.
So if we go to system setting and system operation if we go to system operation, there should be yes, it’s now here virtual domain so you can enable from here. Okay, changing virtual domain share will require you to re login. Okay, which we do we need multiwedm? This is not our topic, so leave it this one we need multivitam click OK and login bake admin and one, two, three or you can type that command which I show you admin one, two, three configuration config, system config. Okay, now we will go to VDOM. Yes, enable now then the command become changed. So it’s here now showing we Dom because I graphically enable now whenever now you are using command, then you have to type where you want to go global. Then you can enter and then you can do step by step to everywhere. The command will change now, because we have Vdomes enabled, you make them change. So it’s now showing VDOM you can create up to ten V domes. We only need three to test them. It’s okay. And you know, now there is a global enroute which I told you already theoretically. And when you go to system under that you will see global. Sorry. And under system you will see Vdomes. There is V Dom now. Now I need to create three VDOM by default route. Is there like a VLN one? Is there like admin content? Is there like a global route is there? And all the interfaces are park and VLN one it’s like a VLN one, all eight interfaces but I say no I need to create a virtual VLN one is HR which name we suggest? I don’t know which was our name? Yeah. HR it and root. So I say HR.
Vdome anything. Now, one VLAN can be different. Another one can be different profile based. The other one can be policies. Okay. N. Okay. So HRV Dom I created like a villain you created then I need to create ITV dome you can give them any name I am just giving them Vidom and it can be policybased one is another type so two is being done now I am doing all these in globally now let’s do to put the interfaces here how we can do it let’s start from the basic again. Just we’ve done it, but this time we will do three time everything. So let’s go to port seven first. My port seven is this one, which is a management one. So let them type mgmt and this is an under route here. And if you want to make them manual, let them manual this IP and allowed everything. We know all these things. Now I will do quickly and okay, so I give them the name to port seven, which is management. Now go to Policy and enable port. So port one. Okay. This port five. This port six. Let’s remove this port the other port, because port is important now. So that you need to know which port is where. Let me remove this one. We don’t need these port. This port is important. The one which is showing here. Okay. By the way, this is also important. This zero two and zero three and one. Okay, that’s it. So now port one and port four belong to route one. Right? Now every port is port one. But let’s start from the HR one. So port two and port five is the HRV len. So port which one. Let’s go back. Port two and port five. Go to port two. Click on port 02:00 a. m in global configuration and type when HR either Hrvin this is Hrvin and choose VDOM Hrvdom which we just created before role. No need of role DHCP. Maybe there is a DCP enable. It will get IP. Let’s see if it can get or not. And just allowed ping. Let’s see it getting or not.
If not, we will type automatically manually. Okay, let’s see. I think so I did not enable DHCP there. So let’s put this one port two. So two range from two range and icathan anything. So let me assign from two range. 109, 21682, 124 and done. So port two is for HR one and port five is for HR lane. So let’s go to five and type here HR lane and put this interface on HRV Dom and type the IPV. Assign IP this 122. So type 192, 168, 22, 100. Let me copy this one. We will use again and again. So it’s bitter and enable ping and Https. Okay, this one done. Now let’s do the other interfaces. Root is already. We will do this one, port three and port six. For which one? It port three. So go to port three and type it when and put them in ITV Dom and DHCP. If not getting DHCP, we have to put manually, which is 3300. We will assign them. You remember we choose here three, that’s the three. So 300. And what about the other side? Six port 33. So go to six port and type it Len. This is it, len. Choose virtual domain it and put the IP 3333 hundred and allowed ping. Okay. So these two are done. The. Only thing is root has all the rest up interfaces. That’s okay, but let them give the name port one and port four. So go to port one. Where is port one? It’s better to do what type root when this is root venue when interface and it’s already en route. It did IP automatically make them manual.
We will say 100 and no need of this one, just need to ping it’s enough for us. And what about the other? Port four is the lane one. So go to port four and type here root lane. Okay. And manually type eleven. I believe we give them eleven foreign set this 111 ping done. So interfaces has been now assigned to every VLAN like a Vlane. Now. What about DNS? One is overall DNS which is in the root one. So type a eight and another one is one one and apply. Now I will log in with every VDOM and I will configure rest of things here. I don’t need to do anything here. Now how? Go to global and look at there is HR. When you click HR. This is now HR firewall. Everything is separately from the other two, only related to HR. So HR was this one HR? So for HR gateway is two one. So now I will configure gateway for H R. Go to network and static route is now HR firewall like a separate firewall. And here I will say that the gateway is 192, 168, 2121 is this one. We assign this IP to the Venk. Okay, and what else? We need to know the policy. Now. This is HR policy. Go to policy and object. You will see nothing, only two interfaces. Let me go to interfaces to show you. This is a virtual interface. Look at only two interfaces, five and two. Because now I mean HR firewall. Just imagine like you now log in in HR firewall. This is a separate firewall. But logically as separate but physically it’s only one.
That’s the beauty of vdomes. So what I need to do, I need to go to policy and object IP four policy and create a policy for HR so that we can test them. So HR policy anyway, no need to give them any name because this is only two interfaces for HR. HR lane to HR Vain and anything, any destination, any services net and everything and okay in it to all session by the way, so that we can see the log in case if you want to see the log. So let me click on this one and allow session all session. Sorry. What else we need like now separate firewall. What we done? We need a route, we need a DNS, we need an IP policy. It’s done. Just the simplest thing. Now. Go to ITV. Dom. Now, if you go to ITV Dom the date policy will be not showing here. Look, it is not here because now I’m in separate firewall. So now create a policy for it. I’m just giving policy name so it len. Go to it when source anything, destination anything, services anything and net enable in all session and okay, but what about their route? So let’s go to static route. It will not show the previous one because I was in separate firewall here for the it when it is which one? They have three one gateway. So 192, 168 three. One is the gateway for them.
N. Okay, so policy is there and everything. And the last one is Root. So root is already everything. Static route. Let’s create a static route for Root. So root have this win and 192, 168 one. One is the gateway for them. I’m here this one, this is one. Okay, and what about the policy? So let’s create a policy for the root one and type root policy. Okay. And from root lane to root when sources all destination is all service is all net is enable all session and okay, that’s it. So it means basically one firewall. We divide them in three. And I already give you example. So three different. Okay, now you can create a separate administrative domain. They will log in separately as well, but root can see the other two and they can configure them. But when you log into HR, you cannot do anything in it. The last thing we need to test something before we do one, two, three let me ping can I ping 192, 168 one sorry, execute ping I’m in which one and root and let me go to from root it will do it automatically. It will log into the same VDOM because now we create a VDOM. So the previous command will not work. You need to go to config VDOM, then edit root, then you can do it. So that’s why I better to do it from here. Execute ping 192, 168 one dot one one. So yeah, my gateway is reachable.
Am I reachable to? Sorry. Execute ping eight dot eight. So yes, I am reachable, so it’s a good sign. Now let’s go to HR and log into HRV domain test from here. Okay? Why it’s not taking me here when you log in here, so it will exit. Let’s try from system directly because I don’t want to confuse you through system through command. Let’s go to here and on the system. I hope so it all will reach to internet, but separately. Their logs will be separately from other one. And why not test from here? I just want to test that reachability there or not. So let me log into this one and ping 192, 168 100. I assign this IP to firewall so it’s reachable. Then I assign 200 to the other so it’s reachable and then I assign 300 to the third one so it’s reachable and from him are reachable to the internet. So I hope so let’s click on root PC and test internet. Go to facebook because everything is there. So it has to work and yeah, so it’s going to Facebook. Let them come up to show. Then we will see the logs. Now where you will see the logs in HR. Do you think the logs will be here? Where? From where we are checking the logs. We are checking the log from so many places. Let’s go to logs and forwarding traffic.
Do you think there will be this log Facebook related? No, because this is the route one. So go to root and when you see the logs, you will see Facebook. It’s mentioned root policy. So that’s going to Facebook. Now let’s jump to the other one, HR one. And from HR let me go to Twitter. And do you think the Twitter record will be here? No, Twitter. You need to go to HR. Yeah. So HR or which one? Yeah, HR. Here you will see Twitter. Yeah, it’s Twitter. It’s Twitter log. But I am an HR V Dome. So basically I divide this firewall in three different Firewall. Just consider them as three different Firewall. Firewall one here, farwall two here and Firewall Three here. So rather than one Firewall, it’s like a three Firewall. And the last one is it let me go to it and go to Amazon. And when you go to here, Amazon will be not here. Even if you refresh, Amazon will not show here because Amazon has been accessed by another Firewall. Just like, imagine. And that is the ITV dome. So when you go to ITV Dome, you will see Amazon traffic there. And after a while you will see here if the Vintice Amazon is working okay. I hope so it will come up because it’s become slow. I did not increase the Ram, so it’s worth fully three. Farewell. So here is Amazon traffic, amazon and it’s showing Amazon and it Vdomes. And let me go to Global and let me show you the status to say three Vdomes is configure and total allowed is three. And I was talking about 40 token. I can enable 40 token unit administrative because I license this one. Now. I can. Cloud Base. I can create a token as well. Anyway, that was the story related to there. So it’s 30% showing three. We use 100% means ten. If you use ten, S will be V dome.
And we see that this firewall has been divided in three different categories separately divided in three and every V dome. And this way you can create through this license seven more Vdoms. But if you need more than ten, then you have to buy another license. Now let’s go if we miss something. So this is the way to enable VDOM. Then you will see under this one and how to create a VDOM. Then we put the interfaces in VDOM. Okay, we assign interfaces to VDOM and then what we done here separately, then you can create separate administrator for every VDOM too. Now I’m logging through the root administrator root VDOM and I can handle all these three. But you can create three separate users.
So every user with separate department will log in. It’s also possible, but because we get issue in administrator so that’s why I don’t want to show you this one. You can create separately as well. What else? This is for HR V Dome. You need to create a separate routing for HR, separate policy for sales, HR and whatever department you have. And then your testimony is working everything and traffic is going out. The only issue is if you don’t know about this one, you can put three different server here with different IPS and test rather than to go to Internet test those server. Okay, so don’t need to do this one. Okay.
