Virtual Domain (VDOM) and Administrative Domain (ADOM) overview
A Virtual Domain (VDOM) is a complete FortiADC instance that runs on the FortiADC platform. VDOM configuration objects contain all of the system and feature configuration options of a full FortiADC instance and can be used to divide a FortiADC into two or more virtual units that function independently, allowing it to support multi-tenant deployments.
The VDOM feature supports two Virtual Domain Modes that allow the VDOMs to function independently with its own networking or as administrative domains (ADOMs) with shared networking between all ADOMs. When the VDOM is in the Independent Network mode, you can provision an administrator account with privileges to access and manage only their assigned VDOM. The VDOM user can then configure their VDOM as desired untethered to other VDOMs. Alternatively, when the VDOM is in Share Network mode, it functions as an ADOM that shares the same networking interfaces and routing between all the ADOMs. The ADOM functionality enables the administrator to constrain access privileges to a subset of server load-balancing servers by defaulting all interface settings to the root ADOM.
The Virtual Domains feature is not enabled by default and requires an administrator with "super admin" or "global admin" access to enable. The admin account holder (also known as the "super admin") can enable and configure all VDOMs and provision accounts with "global admin" access that grants administrators permissions to enable and configure VDOMs as well. The super admin and global admin have unrestricted access to all virtual domains that have been created on the system and can provision administrator accounts to access their assigned domains.
After the Virtual Domain feature is enabled, virtual domain administrators can enter their assigned VDOM/ADOM and see a subset of the typical menus or CLI commands appear, allowing access to only the feature configurations, logs and reports specific to their VDOM/ADOM. Unlike super admin and global admin users, VDOM/ADOM administrators do not have access to global settings.
Differences between super admin/global admin, and VDOM/ADOM administrators when virtual domains are enabled:
Super admin or global admin user | VDOM/ADOM administrators | |
---|---|---|
Access to global settings ( |
Yes |
No |
Can create administrator accounts |
Yes — administrator accounts can be assigned to access other virtual domains on the system. |
Yes — administrator accounts can only be assigned access to the VDOM/ADOM administrator's own virtual domain. |
Can create and access all VDOMs/ADOMs |
Yes |
No |
Basic steps:
- Enable the Virtual Domain feature and select the Virtual Domain Mode.
- Create a VDOM or ADOM configuration object and assign administrators to the domain.
- If the Virtual Domain Mode is Independent Network, then assign network interfaces and administrators to the VDOM.
Note: If the Virtual Domain Mode is Share Network (ADOM mode), all network interface settings are restricted to the root settings.
GUI and CLI functional availability for administrators of VDOM, root ADOM, and non-root ADOM
For administrators provisioned to access only their assigned virtual domains, the GUI and CLI functions available to them depend on their Virtual Domain Mode and whether their virtual domain is root or non-root. VDOMs configured in the Independent Network mode function independently within its own network, allowing the VDOM administrator to have full unrestricted access to all configurations within their own VDOM. Administrators of VDOMs in the Independent Network mode have full unrestricted access to all configurations within their own VDOM; as these VDOMs function independently within their own network, modifications can be made without affecting other VDOMs on the system. In contrast, administrators of ADOMs (VDOMs in Share Network mode) do not have full access to all configurations due to all ADOMs sharing the same network interfaces and routing as the root ADOM. As a result, administrators of non-root ADOMs have restricted access, partial access, or completely no access to GUI and CLI functions relating to networking.
The following table lists the difference in GUI/CLI function availability between root and non-root ADOM administrators.
Configuration |
|
Root ADOM |
Non-root ADOM |
---|---|---|---|
Network |
Interface |
Virtual Domain option is hidden from the Interface settings. The interface settings are automatically defaulted to the root ADOM. |
Read-only access for Interface settings. Data pulled from root ADOM. |
Routing |
Read-write access for all configurations. |
Read-only access for all configurations. Data pulled from root ADOM. |
|
NAT | Read-write access for all configurations. |
No access to configurations. NAT is hidden. |
|
QoS | Read-write access for all configurations. |
No access to configurations. QoS is hidden. |
|
Link Load Balance |
All configurations under Link Load Balance |
Read-write access for all configurations. |
Read-only access for all configurations. Data pulled from root ADOM. |
Global Load Balance |
All configurations under Global Load Balance |
Read-write access for all configurations. |
No access to all configurations. Global Load Balance is hidden. |
Network Security |
Firewall |
Read-write access for all configurations. |
No access to all configurations. Firewall is hidden. |
DoS Protection |
Networking |
Read-write access for all configurations. |
Partial access: IP Fragmentation Protection and TCP SYN Flood Protection are hidden. |
FortiView |
Logical Topology |
Read-write access for all configurations. |
Partial access: Global Load Balance is hidden, and Link Load Balance is read-only with data pulled from root ADOM. |
|
Host |
Read-write access for all configurations. |
No access to all configurations. Host is hidden. |
|
Data Analytics (under Global Load Balance) |
Read-write access for all configurations. |
No access to all configurations. Data Analytics under Global Load Balance is hidden. |
|
Gateway |
Read-write access for all configurations. |
Read-only access to Link Load Balance data pulled from root ADOM. The Monitor option is hidden. |
|
Interfaces |
Read-write access for all configurations. |
All FortiADC interfaces are shown. Data pulled from root ADOM. |
Log & Report |
Log Setting |
Read-write access for all configurations. |
Partial access: Link Load Balance (LLB), Global Load Balance (GLB), and Firewall (FW) options are hidden from the Local Log and Fast Stats settings. |
|
Traffic Log |
Read-write access for all configurations. |
Partial access: Link Load Balance (LLB) and Global Load Balance (GLB) filter options are hidden. |
|
Security Log |
Read-write access for all configurations. |
Partial access: Firewall filter option is hidden. |
|
Event Log |
Read-write access for all configurations. |
Partial access: Link Load Balance (LLB), Global Load Balance (GLB), and Firewall filter options are hidden. |
|
Report Setting |
Read-write access for all configurations. |
DNS-Top-Policy-by-Count and DNS-Top-Source-by-Count are not supported in Query Set. |