Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 6.1.6 CLI Reference
    6.1.6
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    Appendix A: Virtual domains

    Appendix A: Virtual domains

    This appendix describes CLI commands when you use the virtual domains feature. It includes the following topcis:

    Overview

    You can use virtual domains (VDOMs) to delegate administration for tenant deployments. This can be useful for large enterprises and multi-tenant deployments such as web hosting.

    Virtual domains are not enabled by default. Enabling and configuring VDOMs can only be performed by the admin administrator.

    VDOMs alter the structure and available functions in the GUI and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile.

    Differences between administrator accounts when VDOMs are enabled
    admin account Other administrators

    Access to config global

    Yes

    No

    Can create administator accounts

    Yes

    No

    Can create and enter all VDOMs

    Yes

    No

    If VDOMs are enabled and you log in as admin, the complete set of CLI commands appear, allowing unrestricted access and VDOM configuration. The admin administrator account cannot be restricted to a VDOM. Other administrators are restricted to their VDOM, and cannot configure VDOMs or global settings.

    If VDOMs are enabled and you log in as any other administrator, you enter the VDOM assigned to your account. By default, administrator accounts other than the admin account are assigned to the root VDOM. A subset of the typical menus or CLI commands appear, allowing access only to only feature configuration, logs and reports specific to your VDOM. You cannot access global configuration settings or enter other VDOMs.

    Enabling VDOMs

    Before you begin:

    • Save a backup of the configuration. Enabling VDOMs changes the structure of your configuration, so you want to be able to easily revert to the system state before VDOMs were enabled.
    To enable VDOMs
    1. Log in with the admin account.

      2. Other administrators do not have permissions to configure VDOMs.

    2. Enter the following commands:

      3. config system global

      set vdom-admin enable

      end

      FortiADC terminates your administrative session.

    3. Log in again.

      4. When VDOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top level items are config global and config vdom.

    • config global contains settings that only admin or other accounts with the prof_admin access profile can change.
    • config vdom contains each VDOM and its respective settings.

    This menu and CLI structure change is not visible to non-global accounts; VDOM administrators’ navigation menus continue to appear similar to when VDOMs are disabled, except that global settings such as network interfaces, HA, and other global settings do not appear.

  • Continue by defining VDOMs.

    • Creating VDOMs

    Some settings can only be configured by the admin account — they are global. Global settings apply to the appliance overall regardless of VDOM, such as:

    • network interfaces
    • system time
    • backups
    • administrator accounts
    • access profiles
    • FortiGuard connectivity settings
    • HA and configuration sync
    • SNMP
    • X.509 certificates
    • TCP SYN flood anti-DoS setting
    • exec ping and other global operations that exist only in the CLI

    Only the admin account can configure global settings.

    Other settings can be configured separately for each VDOM. They essentially define each VDOM. For example, the policies of VDOM-A are separate from VDOM-B.

    Initially, only the root VDOM exists, and it contains settings such as policies that were global before VDOMs were enabled. Typically, you will create additional VDOMs, and few if any administrators will be assigned to the root VDOM. After VDOMs are created, the admin account usually assigns other administrator accounts to configure their VDOM-specific settings. However, as the root account, the admin administrator does have permission to configure all settings, including those within VDOMs.

    To create a VDOM:
    1. Log in with the admin account.

      2. Other administrators do not have permissions to configure VDOMs.

    2. Enter the following commands:

    config vdom

    edit <VDOM_name>

    where <VDOM_name> is the name of your new VDOM. (Alternatively, to configure the default root VDOM, type root.

    The new VDOM exists, but its settings are not yet configured.

    Editing a VDOM

    You can modify the dynamic and static parameters of each VDOM by following the instructions below. Dynamic parameters determine how much of a dynamic resource, such as connections per second, a VDOM can use. Static parameters determine how much of a static resource, such as real servers, a VDOM can use.

    To edit a VDOM:

    1. Enable vdom

    2. Execute the following commands. A value of 0 means the parameter has no limit.

    config global

    config system vdom

    edit <VDOM_name>

    L4CPS : 0

    L7CPS : 0

    L7RPS : 0

    SSLCPS : 0

    SSLTHROUGHPUT : 0

    CONCURRENTSESSION : 0

    virtualserver : 0

    realserver : 0

    healthcheck : 0

    sourcepool : 0

    errorpage : 0

    localuser : 0

    usergroup : 0

    INBOUND : 0

    OUTBOUND : 0

    Dynamic parameters

    L4CPS

    		 The number of layer 4 connections created per second. When the creation speed exceeds this value, only this number of connections will be created per second. The rest will be dropped.

    L7CPS

    		 The number of layer 7 TCP connections created by the httproxy frontend per second. When the creation speed exceeds this value, only this number of connections will be created per second. Additional TCP syn requests will be dropped on the client side.

    L7RPS

    		 The number of HTTP GET requests handled by the httproxy from the client side per second. When the number of requests per second exceeds this value, only this number of requests will be handled. Additional HTTP GET requests will be dropped.

    SSLCPS

    		 The number of SSL connections created by the httproxy frontend per second. When the creation speed of new SSL connections exceeds this value, only this number of connections will be created per second. Additional connections will not be allowed and additional syn packets will be dropped during that second.

    SSLTHROUGHPUT

    		 The volume of SSL encrypted TCP traffic from both the incoming and outgoing side. When the traffic throughput exceeds this value, additional packets from the client will be dropped and new connections will not be allowed.

    CONCURRENTSESSION

    The total number of living connections for ADC traffic. Living connections include L4, L7, and L7 SSL. When the number of living connections exceeds this number, additional connections will not be allowed.

    INBOUND

    The maximum volume of inbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted.

    OUTBOUND

    The maximum volume of outbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted.
    Static parameters

    virtualserver

    		 The maximum number of virtual servers that can be configured using "config load-balance virtual-server" in the chosen VDOM.

    realserver

    		 The maximum number of real servers that can be configured using "config load-balance real-server" in the chosen VDOM.

    healthcheck

    		 The maximum number of healthcheck members that can be configured using "config system health-check" in the chosen VDOM.

    sourcepool

    		 The maximum number of IP pools that can be configured using "config load-balance ippool" in the chosen VDOM.

    errorpage

    The maximum number of error page files that can be configured using "config load-balance error-page" in the chosen VDOM.

    localuser

    The maximum number of local users that can be configured using "config user local" in the chosen VDOM.

    usergroup

    The maximum number of user groups that can be configured using "config user user-group" in the chosen VDOM.

    Assigning interfaces to a VDOM

    The following commands assign a network interface to a VDOM:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system interface

    FortiADC-VM (interface) # edit port10

    FortiADC-VM (port10) # set vdom docs-vdom

    FortiADC-VM (port10) # end

    Changing interface(port10) vdom from root(1) to docs-vdom(233):

    change vdom success.

    Assigning administrators to a VDOM

    The following commands create an administrator account and assign the administrator to a vdom:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system admin

    FortiADC-VM (admin) # edit docs-vdom-admin

    Add new entry 'docs-vdom-admin' for node 78

    FortiADC-VM (docs-vdom-admin) # set access-profile admin_prof

    FortiADC-VM (docs-vdom-admin) # set vdom docs-vdom

    FortiADC-VM (docs-vdom-admin) # end

    Disabling VDOMs

    Before you begin:

    • Save a backup of the configuration. Disabling VDOMs changes the structure of your configuration, and deletes most VDOM-related settings. It keeps settings from the root VDOM only.
    To disable VDOMs
    1. Assign interfaces to the root VDOM. For example:

      2. FortiADC-VM # config global

      FortiADC-VM (global) # config system interface

      FortiADC-VM (interface) # edit port10

      FortiADC-VM (port10) # set vdom root

      FortiADC-VM (port10) # end

      Changing interface(port10) vdom from docs-vdom(233) to root(1):

      change vdom success.

    2. Assign admin accounts to the root VDOM or delete them. For example:

      3. FortiADC-VM (global) # config system admin

      FortiADC-VM (admin) # delete docs-vdom-admin

      FortiADC-VM (admin) # end

    3. Delete non-root VDOMs:

      4. FortiADC-VM # config vdom

      FortiADC-VM (vdom) # delete docs-vdom

      FortiADC-VM (vdom) # end

    4. Disable VDOMs:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system global

    FortiADC-VM (global) # set vdom-admin disable

    FortiADC-VM (global) # end

    The system disables VDOMs and terminates your administrative session.

    Viewing VDOMs

    Use the following command to show the usage and settings for all VDOMS on the system:

    get system vdom-status

    The following example shows the system with two VDOMs set.

    FortiADC-300D # get system vdom-status

    root:

    l4cps: 4.87/-

    l7cps: 90.2/-

    l7rps: 0.0/-

    SSLcps: 3.7/-

    SSLThroughput(KB/S): 1550.0/-

    ConcurrentSession: 47.0/-

    Inbound(KB/S): 255.6/-

    Outbound(KB/S): 104669.0/-

    VirtualServer: 21/-

    RealServer: 33/33

    Health Check: 5/-

    Source Pool: 0/-

    Error-Page: 1/-

    LocalUser: 0/-

    UserGroup: 2/-

    vdom1:

    l4cps: 0.0/-

    l7cps: 0.0/-

    l7rps: 0.0/-

    SSLcps: 0.0/-

    SSLThroughput(KB/S): 0.0/-

    ConcurrentSession: 0.0/-

    Inbound(KB/S): 0.0/-

    Outbound(KB/S): 0.0/-

    VirtualServer: 0/-

    RealServer: 0/-

    Health Check: 4/-

    Source Pool: 0/-

    Error-Page: 0/-

    LocalUser: 0/-

    UserGroup: 0/-

    The first number represents the current usage. The second number represents the limit set. A dashed line means no limit has been set.

    Previous
    Next

    Appendix A: Virtual domains

    Appendix A: Virtual domains

    This appendix describes CLI commands when you use the virtual domains feature. It includes the following topcis:

    Overview

    You can use virtual domains (VDOMs) to delegate administration for tenant deployments. This can be useful for large enterprises and multi-tenant deployments such as web hosting.

    Virtual domains are not enabled by default. Enabling and configuring VDOMs can only be performed by the admin administrator.

    VDOMs alter the structure and available functions in the GUI and CLI, according to whether or not you are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator account’s assigned access profile.

    Differences between administrator accounts when VDOMs are enabled
    admin account Other administrators

    Access to config global

    Yes

    No

    Can create administator accounts

    Yes

    No

    Can create and enter all VDOMs

    Yes

    No

    If VDOMs are enabled and you log in as admin, the complete set of CLI commands appear, allowing unrestricted access and VDOM configuration. The admin administrator account cannot be restricted to a VDOM. Other administrators are restricted to their VDOM, and cannot configure VDOMs or global settings.

    If VDOMs are enabled and you log in as any other administrator, you enter the VDOM assigned to your account. By default, administrator accounts other than the admin account are assigned to the root VDOM. A subset of the typical menus or CLI commands appear, allowing access only to only feature configuration, logs and reports specific to your VDOM. You cannot access global configuration settings or enter other VDOMs.

    Enabling VDOMs

    Before you begin:

    • Save a backup of the configuration. Enabling VDOMs changes the structure of your configuration, so you want to be able to easily revert to the system state before VDOMs were enabled.
    To enable VDOMs
    1. Log in with the admin account.

      2. Other administrators do not have permissions to configure VDOMs.

    2. Enter the following commands:

      3. config system global

      set vdom-admin enable

      end

      FortiADC terminates your administrative session.

    3. Log in again.

      4. When VDOMs are enabled, and if you log in as admin, the top level of the shell changes: the two top level items are config global and config vdom.

    • config global contains settings that only admin or other accounts with the prof_admin access profile can change.
    • config vdom contains each VDOM and its respective settings.

    This menu and CLI structure change is not visible to non-global accounts; VDOM administrators’ navigation menus continue to appear similar to when VDOMs are disabled, except that global settings such as network interfaces, HA, and other global settings do not appear.

  • Continue by defining VDOMs.

    • Creating VDOMs

    Some settings can only be configured by the admin account — they are global. Global settings apply to the appliance overall regardless of VDOM, such as:

    • network interfaces
    • system time
    • backups
    • administrator accounts
    • access profiles
    • FortiGuard connectivity settings
    • HA and configuration sync
    • SNMP
    • X.509 certificates
    • TCP SYN flood anti-DoS setting
    • exec ping and other global operations that exist only in the CLI

    Only the admin account can configure global settings.

    Other settings can be configured separately for each VDOM. They essentially define each VDOM. For example, the policies of VDOM-A are separate from VDOM-B.

    Initially, only the root VDOM exists, and it contains settings such as policies that were global before VDOMs were enabled. Typically, you will create additional VDOMs, and few if any administrators will be assigned to the root VDOM. After VDOMs are created, the admin account usually assigns other administrator accounts to configure their VDOM-specific settings. However, as the root account, the admin administrator does have permission to configure all settings, including those within VDOMs.

    To create a VDOM:
    1. Log in with the admin account.

      2. Other administrators do not have permissions to configure VDOMs.

    2. Enter the following commands:

    config vdom

    edit <VDOM_name>

    where <VDOM_name> is the name of your new VDOM. (Alternatively, to configure the default root VDOM, type root.

    The new VDOM exists, but its settings are not yet configured.

    Editing a VDOM

    You can modify the dynamic and static parameters of each VDOM by following the instructions below. Dynamic parameters determine how much of a dynamic resource, such as connections per second, a VDOM can use. Static parameters determine how much of a static resource, such as real servers, a VDOM can use.

    To edit a VDOM:

    1. Enable vdom

    2. Execute the following commands. A value of 0 means the parameter has no limit.

    config global

    config system vdom

    edit <VDOM_name>

    L4CPS : 0

    L7CPS : 0

    L7RPS : 0

    SSLCPS : 0

    SSLTHROUGHPUT : 0

    CONCURRENTSESSION : 0

    virtualserver : 0

    realserver : 0

    healthcheck : 0

    sourcepool : 0

    errorpage : 0

    localuser : 0

    usergroup : 0

    INBOUND : 0

    OUTBOUND : 0

    Dynamic parameters

    L4CPS

    		 The number of layer 4 connections created per second. When the creation speed exceeds this value, only this number of connections will be created per second. The rest will be dropped.

    L7CPS

    		 The number of layer 7 TCP connections created by the httproxy frontend per second. When the creation speed exceeds this value, only this number of connections will be created per second. Additional TCP syn requests will be dropped on the client side.

    L7RPS

    		 The number of HTTP GET requests handled by the httproxy from the client side per second. When the number of requests per second exceeds this value, only this number of requests will be handled. Additional HTTP GET requests will be dropped.

    SSLCPS

    		 The number of SSL connections created by the httproxy frontend per second. When the creation speed of new SSL connections exceeds this value, only this number of connections will be created per second. Additional connections will not be allowed and additional syn packets will be dropped during that second.

    SSLTHROUGHPUT

    		 The volume of SSL encrypted TCP traffic from both the incoming and outgoing side. When the traffic throughput exceeds this value, additional packets from the client will be dropped and new connections will not be allowed.

    CONCURRENTSESSION

    The total number of living connections for ADC traffic. Living connections include L4, L7, and L7 SSL. When the number of living connections exceeds this number, additional connections will not be allowed.

    INBOUND

    The maximum volume of inbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted.

    OUTBOUND

    The maximum volume of outbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted.
    Static parameters

    virtualserver

    		 The maximum number of virtual servers that can be configured using "config load-balance virtual-server" in the chosen VDOM.

    realserver

    		 The maximum number of real servers that can be configured using "config load-balance real-server" in the chosen VDOM.

    healthcheck

    		 The maximum number of healthcheck members that can be configured using "config system health-check" in the chosen VDOM.

    sourcepool

    		 The maximum number of IP pools that can be configured using "config load-balance ippool" in the chosen VDOM.

    errorpage

    The maximum number of error page files that can be configured using "config load-balance error-page" in the chosen VDOM.

    localuser

    The maximum number of local users that can be configured using "config user local" in the chosen VDOM.

    usergroup

    The maximum number of user groups that can be configured using "config user user-group" in the chosen VDOM.

    Assigning interfaces to a VDOM

    The following commands assign a network interface to a VDOM:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system interface

    FortiADC-VM (interface) # edit port10

    FortiADC-VM (port10) # set vdom docs-vdom

    FortiADC-VM (port10) # end

    Changing interface(port10) vdom from root(1) to docs-vdom(233):

    change vdom success.

    Assigning administrators to a VDOM

    The following commands create an administrator account and assign the administrator to a vdom:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system admin

    FortiADC-VM (admin) # edit docs-vdom-admin

    Add new entry 'docs-vdom-admin' for node 78

    FortiADC-VM (docs-vdom-admin) # set access-profile admin_prof

    FortiADC-VM (docs-vdom-admin) # set vdom docs-vdom

    FortiADC-VM (docs-vdom-admin) # end

    Disabling VDOMs

    Before you begin:

    • Save a backup of the configuration. Disabling VDOMs changes the structure of your configuration, and deletes most VDOM-related settings. It keeps settings from the root VDOM only.
    To disable VDOMs
    1. Assign interfaces to the root VDOM. For example:

      2. FortiADC-VM # config global

      FortiADC-VM (global) # config system interface

      FortiADC-VM (interface) # edit port10

      FortiADC-VM (port10) # set vdom root

      FortiADC-VM (port10) # end

      Changing interface(port10) vdom from docs-vdom(233) to root(1):

      change vdom success.

    2. Assign admin accounts to the root VDOM or delete them. For example:

      3. FortiADC-VM (global) # config system admin

      FortiADC-VM (admin) # delete docs-vdom-admin

      FortiADC-VM (admin) # end

    3. Delete non-root VDOMs:

      4. FortiADC-VM # config vdom

      FortiADC-VM (vdom) # delete docs-vdom

      FortiADC-VM (vdom) # end

    4. Disable VDOMs:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system global

    FortiADC-VM (global) # set vdom-admin disable

    FortiADC-VM (global) # end

    The system disables VDOMs and terminates your administrative session.

    Viewing VDOMs

    Use the following command to show the usage and settings for all VDOMS on the system:

    get system vdom-status

    The following example shows the system with two VDOMs set.

    FortiADC-300D # get system vdom-status

    root:

    l4cps: 4.87/-

    l7cps: 90.2/-

    l7rps: 0.0/-

    SSLcps: 3.7/-

    SSLThroughput(KB/S): 1550.0/-

    ConcurrentSession: 47.0/-

    Inbound(KB/S): 255.6/-

    Outbound(KB/S): 104669.0/-

    VirtualServer: 21/-

    RealServer: 33/33

    Health Check: 5/-

    Source Pool: 0/-

    Error-Page: 1/-

    LocalUser: 0/-

    UserGroup: 2/-

    vdom1:

    l4cps: 0.0/-

    l7cps: 0.0/-

    l7rps: 0.0/-

    SSLcps: 0.0/-

    SSLThroughput(KB/S): 0.0/-

    ConcurrentSession: 0.0/-

    Inbound(KB/S): 0.0/-

    Outbound(KB/S): 0.0/-

    VirtualServer: 0/-

    RealServer: 0/-

    Health Check: 4/-

    Source Pool: 0/-

    Error-Page: 0/-

    LocalUser: 0/-

    UserGroup: 0/-

    The first number represents the current usage. The second number represents the limit set. A dashed line means no limit has been set.

    Previous
    Next