Fortinet black logo

Handbook

Virtual Domain (VDOM) and Administrative Domain (ADOM) overview

A Virtual Domain (VDOM) is a complete FortiADC instance that runs on the FortiADC platform. VDOM configuration objects contain all of the system and feature configuration options of a full FortiADC instance and can be used to divide a FortiADC into two or more virtual units that function independently, allowing it to support multi-tennant deployments.

The VDOM feature supports two Virtual Domain Modes that allow the VDOMs to function independently with its own networking or as administrative domains (ADOMs) with shared networking between all ADOMs. When the VDOM is in the Independent Network mode, you can provision an administrator account with privileges to access and manage only their assigned VDOM. The VDOM user can then configure their VDOM as desired untethered to other VDOMs. Alternatively, when the VDOM is in Share Network mode, it functions as an ADOM that shares the same networking interfaces and routing between all the ADOMs. The ADOM functionality enables the administrator to constrain access privileges to a subset of server load-balancing servers by defaulting all interface settings to the root ADOM.

The Virtual Domains feature is not enabled by default and requires an administrator with "super admin" or "global admin" access to enable. The admin account holder (also known as the "super admin") can enable and configure all VDOMs and provision accounts with "global admin" access that grants administrators permissions to enable and configure VDOMs as well. The super admin and global admin have unrestricted access to all virtual domains that have been created on the system and can provision administrator accounts to access their assigned domains.

After the Virtual Domain feature is enabled, virtual domain administrators can enter their assigned VDOM/ADOM and see a subset of the typical menus or CLI commands appear, allowing access to only the feature configurations, logs and reports specific to their VDOM/ADOM. Unlike super admin and global admin users, VDOM/ADOM administrators do not have access to global settings.

Differences between super admin/global admin, and VDOM/ADOM administrators when virtual domains are enabled:
Super admin or global admin user VDOM/ADOM administrators

Access to global settings (config global)

Yes

No

Can create administrator accounts

Yes — administrator accounts can be assigned to access other virtual domains on the system.

Yes — administrator accounts can only be assigned access to the VDOM/ADOM administrator's own virtual domain.

Can create and access all VDOMs/ADOMs

Yes

No

Basic steps:
  1. Enable the Virtual Domain feature and select the Virtual Domain Mode.
  2. Create a VDOM or ADOM configuration object and assign administrators to the domain.
  3. If the Virtual Domain Mode is Independent Network, then assign network interfaces and administrators to the VDOM.
    Note: If the Virtual Domain Mode is Share Network (ADOM mode), all network interface settings are restricted to the root settings.

GUI and CLI functional availability for administrators of VDOM, root ADOM, and non-root ADOM

For administrators provisioned to access only their assigned virtual domains, the GUI and CLI functions available to them depend on their Virtual Domain Mode and whether their virtual domain is root or non-root. VDOMs configured in the Independent Network mode function independently within its own network, allowing the VDOM administrator to have full unrestricted access to all configurations within their own VDOM. Administrators of VDOMs in the Independent Network mode have full unrestricted access to all configurations within their own VDOM; as these VDOMs function independently within their own network, modifications can be made without affecting other VDOMs on the system. In contrast, administrators of ADOMs (VDOMs in Share Network mode) do not have full access to all configurations due to all ADOMs sharing the same network interfaces and routing as the root ADOM. As a result, administrators of non-root ADOMs have restricted access, partial access, or completely no access to GUI and CLI functions relating to networking.

The following table lists the difference in GUI/CLI function availability between root and non-root ADOM administrators.

Configuration

Root ADOM

Non-root ADOM

Network

Interface

Virtual Domain option is hidden from the Interface settings. The interface settings are automatically defaulted to the root ADOM.

Read-only access for Interface settings. Data pulled from root ADOM.

Routing

Read-write access for all configurations.

Read-only access for all configurations. Data pulled from root ADOM.

NAT Read-write access for all configurations.

No access to configurations. NAT is hidden.

QoS Read-write access for all configurations.

No access to configurations. QoS is hidden.

Link Load Balance

All configurations under Link Load Balance

Read-write access for all configurations.

Read-only access for all configurations. Data pulled from root ADOM.

Global Load Balance

All configurations under Global Load Balance

Read-write access for all configurations.

No access to all configurations. Global Load Balance is hidden.

Network Security

Firewall

Read-write access for all configurations.

No access to all configurations. Firewall is hidden.

DoS Protection

Networking

Read-write access for all configurations.

Partial access: IP Fragmentation Protection and TCP SYN Flood Protection are hidden.

FortiView

Logical Topology

Read-write access for all configurations.

Partial access: Global Load Balance is hidden, and Link Load Balance is read-only with data pulled from root ADOM.

Host

Read-write access for all configurations.

No access to all configurations. Host is hidden.

Data Analytics (under Global Load Balance)

Read-write access for all configurations.

No access to all configurations. Data Analytics under Global Load Balance is hidden.

Gateway

Read-write access for all configurations.

Read-only access to Link Load Balance data pulled from root ADOM. The Monitor option is hidden.

Interfaces

Read-write access for all configurations.

All FortiADC interfaces are shown. Data pulled from root ADOM.

Log & Report

Log Setting

Read-write access for all configurations.

Partial access: Link Load Balance (LLB), Global Load Balance (GLB), and Firewall (FW) options are hidden from the Local Log and Fast Stats settings.

Traffic Log

Read-write access for all configurations.

Partial access: Link Load Balance (LLB) and Global Load Balance (GLB) filter options are hidden.

Security Log

Read-write access for all configurations.

Partial access: Firewall filter option is hidden.

Event Log

Read-write access for all configurations.

Partial access: Link Load Balance (LLB), Global Load Balance (GLB), and Firewall filter options are hidden.

Report Setting

Read-write access for all configurations.

DNS-Top-Policy-by-Count and DNS-Top-Source-by-Count are not supported in Query Set.

A Virtual Domain (VDOM) is a complete FortiADC instance that runs on the FortiADC platform. VDOM configuration objects contain all of the system and feature configuration options of a full FortiADC instance and can be used to divide a FortiADC into two or more virtual units that function independently, allowing it to support multi-tennant deployments.

The VDOM feature supports two Virtual Domain Modes that allow the VDOMs to function independently with its own networking or as administrative domains (ADOMs) with shared networking between all ADOMs. When the VDOM is in the Independent Network mode, you can provision an administrator account with privileges to access and manage only their assigned VDOM. The VDOM user can then configure their VDOM as desired untethered to other VDOMs. Alternatively, when the VDOM is in Share Network mode, it functions as an ADOM that shares the same networking interfaces and routing between all the ADOMs. The ADOM functionality enables the administrator to constrain access privileges to a subset of server load-balancing servers by defaulting all interface settings to the root ADOM.

The Virtual Domains feature is not enabled by default and requires an administrator with "super admin" or "global admin" access to enable. The admin account holder (also known as the "super admin") can enable and configure all VDOMs and provision accounts with "global admin" access that grants administrators permissions to enable and configure VDOMs as well. The super admin and global admin have unrestricted access to all virtual domains that have been created on the system and can provision administrator accounts to access their assigned domains.

After the Virtual Domain feature is enabled, virtual domain administrators can enter their assigned VDOM/ADOM and see a subset of the typical menus or CLI commands appear, allowing access to only the feature configurations, logs and reports specific to their VDOM/ADOM. Unlike super admin and global admin users, VDOM/ADOM administrators do not have access to global settings.

Differences between super admin/global admin, and VDOM/ADOM administrators when virtual domains are enabled:
Super admin or global admin user VDOM/ADOM administrators

Access to global settings (config global)

Yes

No

Can create administrator accounts

Yes — administrator accounts can be assigned to access other virtual domains on the system.

Yes — administrator accounts can only be assigned access to the VDOM/ADOM administrator's own virtual domain.

Can create and access all VDOMs/ADOMs

Yes

No

Basic steps:
  1. Enable the Virtual Domain feature and select the Virtual Domain Mode.
  2. Create a VDOM or ADOM configuration object and assign administrators to the domain.
  3. If the Virtual Domain Mode is Independent Network, then assign network interfaces and administrators to the VDOM.
    Note: If the Virtual Domain Mode is Share Network (ADOM mode), all network interface settings are restricted to the root settings.

GUI and CLI functional availability for administrators of VDOM, root ADOM, and non-root ADOM

For administrators provisioned to access only their assigned virtual domains, the GUI and CLI functions available to them depend on their Virtual Domain Mode and whether their virtual domain is root or non-root. VDOMs configured in the Independent Network mode function independently within its own network, allowing the VDOM administrator to have full unrestricted access to all configurations within their own VDOM. Administrators of VDOMs in the Independent Network mode have full unrestricted access to all configurations within their own VDOM; as these VDOMs function independently within their own network, modifications can be made without affecting other VDOMs on the system. In contrast, administrators of ADOMs (VDOMs in Share Network mode) do not have full access to all configurations due to all ADOMs sharing the same network interfaces and routing as the root ADOM. As a result, administrators of non-root ADOMs have restricted access, partial access, or completely no access to GUI and CLI functions relating to networking.

The following table lists the difference in GUI/CLI function availability between root and non-root ADOM administrators.

Configuration

Root ADOM

Non-root ADOM

Network

Interface

Virtual Domain option is hidden from the Interface settings. The interface settings are automatically defaulted to the root ADOM.

Read-only access for Interface settings. Data pulled from root ADOM.

Routing

Read-write access for all configurations.

Read-only access for all configurations. Data pulled from root ADOM.

NAT Read-write access for all configurations.

No access to configurations. NAT is hidden.

QoS Read-write access for all configurations.

No access to configurations. QoS is hidden.

Link Load Balance

All configurations under Link Load Balance

Read-write access for all configurations.

Read-only access for all configurations. Data pulled from root ADOM.

Global Load Balance

All configurations under Global Load Balance

Read-write access for all configurations.

No access to all configurations. Global Load Balance is hidden.

Network Security

Firewall

Read-write access for all configurations.

No access to all configurations. Firewall is hidden.

DoS Protection

Networking

Read-write access for all configurations.

Partial access: IP Fragmentation Protection and TCP SYN Flood Protection are hidden.

FortiView

Logical Topology

Read-write access for all configurations.

Partial access: Global Load Balance is hidden, and Link Load Balance is read-only with data pulled from root ADOM.

Host

Read-write access for all configurations.

No access to all configurations. Host is hidden.

Data Analytics (under Global Load Balance)

Read-write access for all configurations.

No access to all configurations. Data Analytics under Global Load Balance is hidden.

Gateway

Read-write access for all configurations.

Read-only access to Link Load Balance data pulled from root ADOM. The Monitor option is hidden.

Interfaces

Read-write access for all configurations.

All FortiADC interfaces are shown. Data pulled from root ADOM.

Log & Report

Log Setting

Read-write access for all configurations.

Partial access: Link Load Balance (LLB), Global Load Balance (GLB), and Firewall (FW) options are hidden from the Local Log and Fast Stats settings.

Traffic Log

Read-write access for all configurations.

Partial access: Link Load Balance (LLB) and Global Load Balance (GLB) filter options are hidden.

Security Log

Read-write access for all configurations.

Partial access: Firewall filter option is hidden.

Event Log

Read-write access for all configurations.

Partial access: Link Load Balance (LLB), Global Load Balance (GLB), and Firewall filter options are hidden.

Report Setting

Read-write access for all configurations.

DNS-Top-Policy-by-Count and DNS-Top-Source-by-Count are not supported in Query Set.