Fortinet black logo

CLI Reference

Appendix A: Virtual domains

Appendix A: Virtual domains

This appendix describes CLI commands when you use the virtual domains feature. It includes the following topics:

Overview

A Virtual Domain (VDOM) is a complete FortiADC instance that runs on the FortiADC platform. VDOM configuration objects contain all of the system and feature configuration options of a full FortiADC instance and can be used to divide a FortiADC into two or more virtual units that function independently, allowing it to support multi-tennant deployments.

The VDOM feature supports two Virtual Domain Modes that allow the VDOMs to function independently with its own networking or as administrative domains (ADOMs) with shared networking between all ADOMs. When the VDOM is in the Independent Network mode, you can provision an administrator account with privileges to access and manage only their assigned VDOM. The VDOM user can then configure their VDOM as desired untethered to other VDOMs. Alternatively, when the VDOM is in Share Network mode, it functions as an ADOM that shares the same networking interfaces and routing between all the ADOMs. The ADOM functionality enables the administrator to constrain access privileges to a subset of server load-balancing servers by defaulting all interface settings to the root ADOM.

The Virtual Domains feature is not enabled by default and requires an administrator with "super admin" or "global admin" access to enable. The admin account holder (also known as the "super admin") can enable and configure all VDOMs and provision accounts with "global admin" access that grants administrators permissions to enable and configure VDOMs as well. The super admin and global admin have unrestricted access to all virtual domains that have been created on the system and can provision administrator accounts to access their assigned domains.

After the Virtual Domain feature is enabled, virtual domain administrators can enter their assigned VDOM/ADOM and see a subset of the typical menus or CLI commands appear, allowing access to only the feature configurations, logs and reports specific to their VDOM/ADOM. Unlike super admin and global admin users, VDOM/ADOM administrators do not have access to global settings.

Differences between super admin/global admin, and VDOM/ADOM administrators when virtual domains are enabled:
Super admin or global admin user VDOM/ADOM administrators

Access to global settings (config global)

Yes

No

Can create administrator accounts

Yes — administrator accounts can be assigned to access other virtual domains on the system.

Yes — administrator accounts can only be assigned access to the VDOM/ADOM administrator's own virtual domain.

Can create and access all VDOMs/ADOMs

Yes

No

GUI and CLI functional availability for administrators of VDOM, root ADOM, and non-root ADOM

For administrators provisioned to access only their assigned virtual domains, the GUI and CLI functions available to them depend on their Virtual Domain Mode and whether their virtual domain is root or non-root. VDOMs configured in the Independent Network mode function independently within its own network, allowing the VDOM administrator to have full unrestricted access to all configurations within their own VDOM. Administrators of VDOMs in the Independent Network mode have full unrestricted access to all configurations within their own VDOM; as these VDOMs function independently within their own network, modifications can be made without affecting other VDOMs on the system. In contrast, administrators of ADOMs (VDOMs in Share Network mode) do not have full access to all configurations due to all ADOMs sharing the same network interfaces and routing as the root ADOM. As a result, administrators of non-root ADOMs have restricted access, partial access, or completely no access to GUI and CLI functions relating to networking.

The following table lists the difference in CLI function availability between root and non-root ADOM administrators.

Configuration

Root ADOM

Non-root ADOM

config system

interface

set vdom is not available since interface settings are automatically defaulted to the root ADOM. Read-only access for interface settings. Data pulled from root ADOM.

config link-load-balance

flow-policy

Read-write access. Read-only access. Data pulled from root ADOM.

gateway

Read-write access. Read-only access. Data pulled from root ADOM.

link-group

Read-write access. Read-only access. Data pulled from root ADOM.

persistence

Read-write access. Read-only access. Data pulled from root ADOM.

proximity-route

Read-write access. Read-only access. Data pulled from root ADOM.

virtual-tunnel

Read-write access. Read-only access. Data pulled from root ADOM.

config router

access-list

Read-write access. Read-only access. Data pulled from root ADOM.

access-list6

Read-write access. Read-only access. Data pulled from root ADOM.

bgp

Read-write access. Read-only access. Data pulled from root ADOM.

isp

Read-write access. Read-only access. Data pulled from root ADOM.

md5-ospf

Read-write access. Read-only access. Data pulled from root ADOM.

ospf

Read-write access. Read-only access. Data pulled from root ADOM.

policy

Read-write access. Read-only access. Data pulled from root ADOM.

prefix-list

Read-write access. Read-only access. Data pulled from root ADOM.

prefix-list6

Read-write access. Read-only access. Data pulled from root ADOM.

setting

Read-write access. Read-only access. Data pulled from root ADOM.

static

Read-write access. Read-only access. Data pulled from root ADOM.

config firewall

connlimit

Read-write access. Not available.

connlimit6

Read-write access. Not available.

nat-snat

Read-write access. Not available.

policy

Read-write access. Not available.

policy6

Read-write access. Not available.

qos-filter

Read-write access. Not available.

qos-filter6

Read-write access. Not available.

qos-queue

Read-write access. Not available.

vip

Read-write access. Not available.

config security dos

dos-protection-profile

Read-write access. Read-write access.

http-access-limit

Read-write access. Read-write access.

http-connection-flood-protection

Read-write access. Read-write access.

http-request-flood-protection

Read-write access. Read-write access.

ip-fragmentation-protection

Read-write access. Not available.

tcp-access-flood-protection

Read-write access. Read-write access.

tcp-slowdata-attack-protection

Read-write access. Read-write access.

tcp-synflood-protection

Read-write access. Not available.

config global-dns-server

address-group

Read-write access. Not available.

dns64

Read-write access. Not available.

dsset-info-list

Read-write access. Not available.

general

Read-write access. Not available.

policy

Read-write access. Not available.

remote-dns-server

Read-write access. Not available.

response-rate-limit

Read-write access. Not available.

trust-anchor-key

Read-write access. Not available.

zone

Read-write access. Not available.

config global-load-balance

analytic

Read-write access. Not available.

data-center

Read-write access. Not available.

host

Read-write access. Not available.

link

Read-write access. Not available.

servers

Read-write access. Not available.

setting

Read-write access. Not available.

topology

Read-write access. Not available.

virtual-server-pool

Read-write access. Not available.

Enabling the Virtual Domain feature and selecting the Virtual Domain Mode

Before you begin:
  • Save a backup of the configuration. Enabling VDOMs changes the structure of your configuration, so you want to be able to easily revert to the system state before VDOMs were enabled.
To enable the Virtual Domain and select the Virtual Domain Mode:
  1. Log in with as the admin administrator or global administrator.
  2. Other administrators do not have permissions to configure VDOMs.

  3. Use the following command:
  4. config system global

    set vdom-admin {enable|disable}

    set vdom-mode {independent-network|share-network}

    end

    vdom-admin

    Enable the Virtual Domain feature.

    vdom-mode

    Select either of the following virtual domain modes:

    • independent-network — each VDOM functions independently within its own network, unaffected by activity from other VDOMs on the system.
    • share-network — VDOMs function as administrative domains (ADOMs), sharing the same network interface and routing between all ADOMs.

    FortiADC terminates your administrative session.

  5. Log in again.
  6. When VDOMs are enabled, and if you log in as admin or global admin, the top level of the shell changes: the two top level items are config global and config vdom.

  • config global contains settings that only admin or other accounts with the prof_admin access profile can change.
  • config vdom contains each VDOM and its respective settings.

This menu and CLI structure change is not visible to non-global accounts; VDOM administrators’ navigation menus continue to appear similarly to when VDOMs are disabled, except that global settings such as network interfaces, HA, and other global settings do not appear.

  • Continue by defining VDOMs.
  • Creating virtual domains

    Some settings can only be configured by the admin administrator or global administrator — they are global. Global settings apply to the appliance overall regardless of VDOM, such as:

    • network interfaces
    • system time
    • backups
    • administrator accounts
    • access profiles
    • FortiGuard connectivity settings
    • HA and configuration sync
    • SNMP
    • X.509 certificates
    • TCP SYN flood anti-DoS setting
    • exec ping and other global operations that exist only in the CLI

    Only the admin administrator or global administrator can configure global settings.

    Other settings can be configured separately for each VDOM. They essentially define each VDOM. For example, the policies of VDOM-A are separate from VDOM-B.

    Initially, only the root VDOM exists, and it contains settings such as policies that were global before VDOMs were enabled. Typically, you will create additional VDOMs, and few if any administrators will be assigned to the root VDOM. After VDOMs are created, the admin account or global admin usually assigns other administrator accounts to configure their VDOM-specific settings. However, as the root account, the admin administrator does have permission to configure all settings, including those within VDOMs.

    To create a VDOM:
    1. Log in with the admin account.
    2. Other administrators do not have permissions to configure VDOMs.

    3. Enter the following commands:

    config vdom

    edit <VDOM_name>

    where <VDOM_name> is the name of your new VDOM. (Alternatively, to configure the default root VDOM, type root.

    The new VDOM exists, but its settings are not yet configured.

    Editing a virtual domain

    For virtual domains in Independent Network mode, FortiADC allows you to create and impose custom policies or restrictions on each virtual domain you have added. You can modify the dynamic and static parameters of each VDOM by following the instructions below. Dynamic parameters determine how much of a dynamic resource, such as connections per second, a VDOM can use. Static parameters determine how much of a static resource, such as real servers, a VDOM can use.

    To edit a virtual domain:

    1. Enable vdom.

    2. Execute the following commands. A value of 0 means the parameter has no limit.

    config global

    config system vdom

    edit <VDOM_name>

    L4CPS : 0

    L7CPS : 0

    L7RPS : 0

    SSLCPS : 0

    SSLTHROUGHPUT : 0

    CONCURRENTSESSION : 0

    virtualserver : 0

    realserver : 0

    healthcheck : 0

    sourcepool : 0

    errorpage : 0

    localuser : 0

    usergroup : 0

    INBOUND : 0

    OUTBOUND : 0

    Dynamic parameters

    L4CPS

    The number of layer 4 connections created per second. When the creation speed exceeds this value, only this number of connections will be created per second. The rest will be dropped.

    L7CPS

    The number of layer 7 TCP connections created by the httproxy frontend per second. When the creation speed exceeds this value, only this number of connections will be created per second. Additional TCP syn requests will be dropped on the client side.

    L7RPS

    The number of HTTP GET requests handled by the httproxy from the client side per second. When the number of requests per second exceeds this value, only this number of requests will be handled. Additional HTTP GET requests will be dropped.

    SSLCPS

    The number of SSL connections created by the httproxy frontend per second. When the creation speed of new SSL connections exceeds this value, only this number of connections will be created per second. Additional connections will not be allowed and additional syn packets will be dropped during that second.

    SSLTHROUGHPUT

    The volume of SSL encrypted TCP traffic from both the incoming and outgoing side. When the traffic throughput exceeds this value, additional packets from the client will be dropped and new connections will not be allowed.

    CONCURRENTSESSION

    The total number of living connections for ADC traffic. Living connections include L4, L7, and L7 SSL. When the number of living connections exceeds this number, additional connections will not be allowed.

    INBOUND

    The maximum volume of inbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted.

    OUTBOUND

    The maximum volume of outbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted.

    Static parameters

    virtualserver

    The maximum number of virtual servers that can be configured using "config load-balance virtual-server" in the chosen VDOM.

    realserver

    The maximum number of real servers that can be configured using "config load-balance real-server" in the chosen VDOM.

    healthcheck

    The maximum number of healthcheck members that can be configured using "config system health-check" in the chosen VDOM.

    sourcepool

    The maximum number of IP pools that can be configured using "config load-balance ippool" in the chosen VDOM.

    errorpage

    The maximum number of error page files that can be configured using "config load-balance error-page" in the chosen VDOM.

    localuser

    The maximum number of local users that can be configured using "config user local" in the chosen VDOM.

    usergroup

    The maximum number of user groups that can be configured using "config user user-group" in the chosen VDOM.

    Assigning interfaces to a virtual domain

    For virtual domains in Independent Network mode, you need to assign network interfaces to the virtual domain. If the Virtual Domain Mode is Share Network (ADOM mode), all network interface settings are defaulted to the root settings, so assigning network interfaces is unnecessary.

    The following commands assign a network interface to a VDOM:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system interface

    FortiADC-VM (interface) # edit port10

    FortiADC-VM (port10) # set vdom docs-vdom

    FortiADC-VM (port10) # end

    Changing interface(port10) vdom from root(1) to docs-vdom(233):

    change vdom success.

    Assigning administrators to a virtual domain

    The following commands create an administrator account and assign the administrator to a VDOM or ADOM:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system admin

    FortiADC-VM (admin) # edit docs-vdom-admin

    Add new entry 'docs-vdom-admin' for node 78

    FortiADC-VM (docs-vdom-admin) # set access-profile admin_prof

    FortiADC-VM (docs-vdom-admin) # set vdom docs-vdom

    FortiADC-VM (docs-vdom-admin) # end

    Disabling virtual domains

    You may need to disable virtual domains in certain scenarios, such as switching to a different Virtual Domain Mode.

    Before you begin:
    • Save a backup of the configuration. Disabling virtual domains changes the structure of your configuration, and deletes most virtual domain related settings. It keeps settings from the root VDOM or ADOM only.
    To disable virtual domains:
    1. Assign interfaces to the root VDOM. For example:
    2. FortiADC-VM # config global

      FortiADC-VM (global) # config system interface

      FortiADC-VM (interface) # edit port10

      FortiADC-VM (port10) # set vdom root

      FortiADC-VM (port10) # end

      Changing interface(port10) vdom from docs-vdom(233) to root(1):

      change vdom success.

    3. Assign admin accounts to the root VDOM or delete them. For example:
    4. FortiADC-VM (global) # config system admin

      FortiADC-VM (admin) # delete docs-vdom-admin

      FortiADC-VM (admin) # end

    5. Delete non-root VDOMs:
    6. FortiADC-VM # config vdom

      FortiADC-VM (vdom) # delete docs-vdom

      FortiADC-VM (vdom) # end

    7. Disable VDOMs:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system global

    FortiADC-VM (global) # set vdom-admin disable

    FortiADC-VM (global) # end

    The system disables VDOMs and terminates your administrative session.

    Viewing virtual domains

    Use the following command to show the usage and settings for all VDOMs or ADOMs on the system:

    get system vdom-status

    The following example shows the system with two VDOMs set.

    FortiADC-300D # get system vdom-status

    root:

    l4cps: 4.87/-

    l7cps: 90.2/-

    l7rps: 0.0/-

    SSLcps: 3.7/-

    SSLThroughput(KB/S): 1550.0/-

    ConcurrentSession: 47.0/-

    Inbound(KB/S): 255.6/-

    Outbound(KB/S): 104669.0/-

    VirtualServer: 21/-

    RealServer: 33/33

    Health Check: 5/-

    Source Pool: 0/-

    Error-Page: 1/-

    LocalUser: 0/-

    UserGroup: 2/-

    vdom1:

    l4cps: 0.0/-

    l7cps: 0.0/-

    l7rps: 0.0/-

    SSLcps: 0.0/-

    SSLThroughput(KB/S): 0.0/-

    ConcurrentSession: 0.0/-

    Inbound(KB/S): 0.0/-

    Outbound(KB/S): 0.0/-

    VirtualServer: 0/-

    RealServer: 0/-

    Health Check: 4/-

    Source Pool: 0/-

    Error-Page: 0/-

    LocalUser: 0/-

    UserGroup: 0/-

    The first number represents the current usage. The second number represents the limit set. A dashed line means no limit has been set.

    Appendix A: Virtual domains

    This appendix describes CLI commands when you use the virtual domains feature. It includes the following topics:

    Overview

    A Virtual Domain (VDOM) is a complete FortiADC instance that runs on the FortiADC platform. VDOM configuration objects contain all of the system and feature configuration options of a full FortiADC instance and can be used to divide a FortiADC into two or more virtual units that function independently, allowing it to support multi-tennant deployments.

    The VDOM feature supports two Virtual Domain Modes that allow the VDOMs to function independently with its own networking or as administrative domains (ADOMs) with shared networking between all ADOMs. When the VDOM is in the Independent Network mode, you can provision an administrator account with privileges to access and manage only their assigned VDOM. The VDOM user can then configure their VDOM as desired untethered to other VDOMs. Alternatively, when the VDOM is in Share Network mode, it functions as an ADOM that shares the same networking interfaces and routing between all the ADOMs. The ADOM functionality enables the administrator to constrain access privileges to a subset of server load-balancing servers by defaulting all interface settings to the root ADOM.

    The Virtual Domains feature is not enabled by default and requires an administrator with "super admin" or "global admin" access to enable. The admin account holder (also known as the "super admin") can enable and configure all VDOMs and provision accounts with "global admin" access that grants administrators permissions to enable and configure VDOMs as well. The super admin and global admin have unrestricted access to all virtual domains that have been created on the system and can provision administrator accounts to access their assigned domains.

    After the Virtual Domain feature is enabled, virtual domain administrators can enter their assigned VDOM/ADOM and see a subset of the typical menus or CLI commands appear, allowing access to only the feature configurations, logs and reports specific to their VDOM/ADOM. Unlike super admin and global admin users, VDOM/ADOM administrators do not have access to global settings.

    Differences between super admin/global admin, and VDOM/ADOM administrators when virtual domains are enabled:
    Super admin or global admin user VDOM/ADOM administrators

    Access to global settings (config global)

    Yes

    No

    Can create administrator accounts

    Yes — administrator accounts can be assigned to access other virtual domains on the system.

    Yes — administrator accounts can only be assigned access to the VDOM/ADOM administrator's own virtual domain.

    Can create and access all VDOMs/ADOMs

    Yes

    No

    GUI and CLI functional availability for administrators of VDOM, root ADOM, and non-root ADOM

    For administrators provisioned to access only their assigned virtual domains, the GUI and CLI functions available to them depend on their Virtual Domain Mode and whether their virtual domain is root or non-root. VDOMs configured in the Independent Network mode function independently within its own network, allowing the VDOM administrator to have full unrestricted access to all configurations within their own VDOM. Administrators of VDOMs in the Independent Network mode have full unrestricted access to all configurations within their own VDOM; as these VDOMs function independently within their own network, modifications can be made without affecting other VDOMs on the system. In contrast, administrators of ADOMs (VDOMs in Share Network mode) do not have full access to all configurations due to all ADOMs sharing the same network interfaces and routing as the root ADOM. As a result, administrators of non-root ADOMs have restricted access, partial access, or completely no access to GUI and CLI functions relating to networking.

    The following table lists the difference in CLI function availability between root and non-root ADOM administrators.

    Configuration

    Root ADOM

    Non-root ADOM

    config system

    interface

    set vdom is not available since interface settings are automatically defaulted to the root ADOM. Read-only access for interface settings. Data pulled from root ADOM.

    config link-load-balance

    flow-policy

    Read-write access. Read-only access. Data pulled from root ADOM.

    gateway

    Read-write access. Read-only access. Data pulled from root ADOM.

    link-group

    Read-write access. Read-only access. Data pulled from root ADOM.

    persistence

    Read-write access. Read-only access. Data pulled from root ADOM.

    proximity-route

    Read-write access. Read-only access. Data pulled from root ADOM.

    virtual-tunnel

    Read-write access. Read-only access. Data pulled from root ADOM.

    config router

    access-list

    Read-write access. Read-only access. Data pulled from root ADOM.

    access-list6

    Read-write access. Read-only access. Data pulled from root ADOM.

    bgp

    Read-write access. Read-only access. Data pulled from root ADOM.

    isp

    Read-write access. Read-only access. Data pulled from root ADOM.

    md5-ospf

    Read-write access. Read-only access. Data pulled from root ADOM.

    ospf

    Read-write access. Read-only access. Data pulled from root ADOM.

    policy

    Read-write access. Read-only access. Data pulled from root ADOM.

    prefix-list

    Read-write access. Read-only access. Data pulled from root ADOM.

    prefix-list6

    Read-write access. Read-only access. Data pulled from root ADOM.

    setting

    Read-write access. Read-only access. Data pulled from root ADOM.

    static

    Read-write access. Read-only access. Data pulled from root ADOM.

    config firewall

    connlimit

    Read-write access. Not available.

    connlimit6

    Read-write access. Not available.

    nat-snat

    Read-write access. Not available.

    policy

    Read-write access. Not available.

    policy6

    Read-write access. Not available.

    qos-filter

    Read-write access. Not available.

    qos-filter6

    Read-write access. Not available.

    qos-queue

    Read-write access. Not available.

    vip

    Read-write access. Not available.

    config security dos

    dos-protection-profile

    Read-write access. Read-write access.

    http-access-limit

    Read-write access. Read-write access.

    http-connection-flood-protection

    Read-write access. Read-write access.

    http-request-flood-protection

    Read-write access. Read-write access.

    ip-fragmentation-protection

    Read-write access. Not available.

    tcp-access-flood-protection

    Read-write access. Read-write access.

    tcp-slowdata-attack-protection

    Read-write access. Read-write access.

    tcp-synflood-protection

    Read-write access. Not available.

    config global-dns-server

    address-group

    Read-write access. Not available.

    dns64

    Read-write access. Not available.

    dsset-info-list

    Read-write access. Not available.

    general

    Read-write access. Not available.

    policy

    Read-write access. Not available.

    remote-dns-server

    Read-write access. Not available.

    response-rate-limit

    Read-write access. Not available.

    trust-anchor-key

    Read-write access. Not available.

    zone

    Read-write access. Not available.

    config global-load-balance

    analytic

    Read-write access. Not available.

    data-center

    Read-write access. Not available.

    host

    Read-write access. Not available.

    link

    Read-write access. Not available.

    servers

    Read-write access. Not available.

    setting

    Read-write access. Not available.

    topology

    Read-write access. Not available.

    virtual-server-pool

    Read-write access. Not available.

    Enabling the Virtual Domain feature and selecting the Virtual Domain Mode

    Before you begin:
    • Save a backup of the configuration. Enabling VDOMs changes the structure of your configuration, so you want to be able to easily revert to the system state before VDOMs were enabled.
    To enable the Virtual Domain and select the Virtual Domain Mode:
    1. Log in with as the admin administrator or global administrator.
    2. Other administrators do not have permissions to configure VDOMs.

    3. Use the following command:
    4. config system global

      set vdom-admin {enable|disable}

      set vdom-mode {independent-network|share-network}

      end

      vdom-admin

      Enable the Virtual Domain feature.

      vdom-mode

      Select either of the following virtual domain modes:

      • independent-network — each VDOM functions independently within its own network, unaffected by activity from other VDOMs on the system.
      • share-network — VDOMs function as administrative domains (ADOMs), sharing the same network interface and routing between all ADOMs.

      FortiADC terminates your administrative session.

    5. Log in again.
    6. When VDOMs are enabled, and if you log in as admin or global admin, the top level of the shell changes: the two top level items are config global and config vdom.

    • config global contains settings that only admin or other accounts with the prof_admin access profile can change.
    • config vdom contains each VDOM and its respective settings.

    This menu and CLI structure change is not visible to non-global accounts; VDOM administrators’ navigation menus continue to appear similarly to when VDOMs are disabled, except that global settings such as network interfaces, HA, and other global settings do not appear.

  • Continue by defining VDOMs.
  • Creating virtual domains

    Some settings can only be configured by the admin administrator or global administrator — they are global. Global settings apply to the appliance overall regardless of VDOM, such as:

    • network interfaces
    • system time
    • backups
    • administrator accounts
    • access profiles
    • FortiGuard connectivity settings
    • HA and configuration sync
    • SNMP
    • X.509 certificates
    • TCP SYN flood anti-DoS setting
    • exec ping and other global operations that exist only in the CLI

    Only the admin administrator or global administrator can configure global settings.

    Other settings can be configured separately for each VDOM. They essentially define each VDOM. For example, the policies of VDOM-A are separate from VDOM-B.

    Initially, only the root VDOM exists, and it contains settings such as policies that were global before VDOMs were enabled. Typically, you will create additional VDOMs, and few if any administrators will be assigned to the root VDOM. After VDOMs are created, the admin account or global admin usually assigns other administrator accounts to configure their VDOM-specific settings. However, as the root account, the admin administrator does have permission to configure all settings, including those within VDOMs.

    To create a VDOM:
    1. Log in with the admin account.
    2. Other administrators do not have permissions to configure VDOMs.

    3. Enter the following commands:

    config vdom

    edit <VDOM_name>

    where <VDOM_name> is the name of your new VDOM. (Alternatively, to configure the default root VDOM, type root.

    The new VDOM exists, but its settings are not yet configured.

    Editing a virtual domain

    For virtual domains in Independent Network mode, FortiADC allows you to create and impose custom policies or restrictions on each virtual domain you have added. You can modify the dynamic and static parameters of each VDOM by following the instructions below. Dynamic parameters determine how much of a dynamic resource, such as connections per second, a VDOM can use. Static parameters determine how much of a static resource, such as real servers, a VDOM can use.

    To edit a virtual domain:

    1. Enable vdom.

    2. Execute the following commands. A value of 0 means the parameter has no limit.

    config global

    config system vdom

    edit <VDOM_name>

    L4CPS : 0

    L7CPS : 0

    L7RPS : 0

    SSLCPS : 0

    SSLTHROUGHPUT : 0

    CONCURRENTSESSION : 0

    virtualserver : 0

    realserver : 0

    healthcheck : 0

    sourcepool : 0

    errorpage : 0

    localuser : 0

    usergroup : 0

    INBOUND : 0

    OUTBOUND : 0

    Dynamic parameters

    L4CPS

    The number of layer 4 connections created per second. When the creation speed exceeds this value, only this number of connections will be created per second. The rest will be dropped.

    L7CPS

    The number of layer 7 TCP connections created by the httproxy frontend per second. When the creation speed exceeds this value, only this number of connections will be created per second. Additional TCP syn requests will be dropped on the client side.

    L7RPS

    The number of HTTP GET requests handled by the httproxy from the client side per second. When the number of requests per second exceeds this value, only this number of requests will be handled. Additional HTTP GET requests will be dropped.

    SSLCPS

    The number of SSL connections created by the httproxy frontend per second. When the creation speed of new SSL connections exceeds this value, only this number of connections will be created per second. Additional connections will not be allowed and additional syn packets will be dropped during that second.

    SSLTHROUGHPUT

    The volume of SSL encrypted TCP traffic from both the incoming and outgoing side. When the traffic throughput exceeds this value, additional packets from the client will be dropped and new connections will not be allowed.

    CONCURRENTSESSION

    The total number of living connections for ADC traffic. Living connections include L4, L7, and L7 SSL. When the number of living connections exceeds this number, additional connections will not be allowed.

    INBOUND

    The maximum volume of inbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted.

    OUTBOUND

    The maximum volume of outbound traffic allowed. Only L4 and L7 SLB TCP traffic will be counted.

    Static parameters

    virtualserver

    The maximum number of virtual servers that can be configured using "config load-balance virtual-server" in the chosen VDOM.

    realserver

    The maximum number of real servers that can be configured using "config load-balance real-server" in the chosen VDOM.

    healthcheck

    The maximum number of healthcheck members that can be configured using "config system health-check" in the chosen VDOM.

    sourcepool

    The maximum number of IP pools that can be configured using "config load-balance ippool" in the chosen VDOM.

    errorpage

    The maximum number of error page files that can be configured using "config load-balance error-page" in the chosen VDOM.

    localuser

    The maximum number of local users that can be configured using "config user local" in the chosen VDOM.

    usergroup

    The maximum number of user groups that can be configured using "config user user-group" in the chosen VDOM.

    Assigning interfaces to a virtual domain

    For virtual domains in Independent Network mode, you need to assign network interfaces to the virtual domain. If the Virtual Domain Mode is Share Network (ADOM mode), all network interface settings are defaulted to the root settings, so assigning network interfaces is unnecessary.

    The following commands assign a network interface to a VDOM:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system interface

    FortiADC-VM (interface) # edit port10

    FortiADC-VM (port10) # set vdom docs-vdom

    FortiADC-VM (port10) # end

    Changing interface(port10) vdom from root(1) to docs-vdom(233):

    change vdom success.

    Assigning administrators to a virtual domain

    The following commands create an administrator account and assign the administrator to a VDOM or ADOM:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system admin

    FortiADC-VM (admin) # edit docs-vdom-admin

    Add new entry 'docs-vdom-admin' for node 78

    FortiADC-VM (docs-vdom-admin) # set access-profile admin_prof

    FortiADC-VM (docs-vdom-admin) # set vdom docs-vdom

    FortiADC-VM (docs-vdom-admin) # end

    Disabling virtual domains

    You may need to disable virtual domains in certain scenarios, such as switching to a different Virtual Domain Mode.

    Before you begin:
    • Save a backup of the configuration. Disabling virtual domains changes the structure of your configuration, and deletes most virtual domain related settings. It keeps settings from the root VDOM or ADOM only.
    To disable virtual domains:
    1. Assign interfaces to the root VDOM. For example:
    2. FortiADC-VM # config global

      FortiADC-VM (global) # config system interface

      FortiADC-VM (interface) # edit port10

      FortiADC-VM (port10) # set vdom root

      FortiADC-VM (port10) # end

      Changing interface(port10) vdom from docs-vdom(233) to root(1):

      change vdom success.

    3. Assign admin accounts to the root VDOM or delete them. For example:
    4. FortiADC-VM (global) # config system admin

      FortiADC-VM (admin) # delete docs-vdom-admin

      FortiADC-VM (admin) # end

    5. Delete non-root VDOMs:
    6. FortiADC-VM # config vdom

      FortiADC-VM (vdom) # delete docs-vdom

      FortiADC-VM (vdom) # end

    7. Disable VDOMs:

    FortiADC-VM # config global

    FortiADC-VM (global) # config system global

    FortiADC-VM (global) # set vdom-admin disable

    FortiADC-VM (global) # end

    The system disables VDOMs and terminates your administrative session.

    Viewing virtual domains

    Use the following command to show the usage and settings for all VDOMs or ADOMs on the system:

    get system vdom-status

    The following example shows the system with two VDOMs set.

    FortiADC-300D # get system vdom-status

    root:

    l4cps: 4.87/-

    l7cps: 90.2/-

    l7rps: 0.0/-

    SSLcps: 3.7/-

    SSLThroughput(KB/S): 1550.0/-

    ConcurrentSession: 47.0/-

    Inbound(KB/S): 255.6/-

    Outbound(KB/S): 104669.0/-

    VirtualServer: 21/-

    RealServer: 33/33

    Health Check: 5/-

    Source Pool: 0/-

    Error-Page: 1/-

    LocalUser: 0/-

    UserGroup: 2/-

    vdom1:

    l4cps: 0.0/-

    l7cps: 0.0/-

    l7rps: 0.0/-

    SSLcps: 0.0/-

    SSLThroughput(KB/S): 0.0/-

    ConcurrentSession: 0.0/-

    Inbound(KB/S): 0.0/-

    Outbound(KB/S): 0.0/-

    VirtualServer: 0/-

    RealServer: 0/-

    Health Check: 4/-

    Source Pool: 0/-

    Error-Page: 0/-

    LocalUser: 0/-

    UserGroup: 0/-

    The first number represents the current usage. The second number represents the limit set. A dashed line means no limit has been set.