Fortinet black logo

Handbook

Configuring additional VDOMs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:721339
Download PDF

Configuring additional VDOMs

This section contains the following topics:

Creating a VDOM

note icon

FortiGate performance might be reduced if you create a large number of VDOMs.

To create new VDOMs, you must use a super_admin profile account and connect to the management VDOM (the root VDOM, by default).

By default, new VDOMs are set to NAT mode. If you want a VDOM to be in transparent mode, you must manually change the operation mode using the CLI. For more information, see Transparent mode.

To create a VDOM - GUI:
  1. Connect to the management VDOM.
  2. Go to Global > System > VDOM and select Create New.
  3. Enter a unique Name. VDOM names have the following restrictions:
    • Only letters, numbers, “-”, and “_” are allowed
    • No more than 11 characters are allowed
    • No spaces are allowed
    • VDOMs can't have the same names as interfaces, zones, switch interfaces, or other VDOMs
  4. Enter a short and descriptive comment to identify this VDOM.
  5. Select OK.
To create a VDOM - CLI:

config system vdom

edit <new_vdom_name>

end

note icon

If you attempt to edit an existing VDOM in the CLI and mistype the name, a new VDOM is created with this name.

The new VDOM can either be renamed or deleted. For more information, see Deleting a VDOM.

Changing the management VDOM

note icon

You can't change the management VDOM if any administrators are using RADIUS authentication.

Once you have two or more VDOMs, you can change the management VDOM. The management VDOM must have Internet access.

You use the management VDOM to access global settings on the FortiGate, as well as for the following services:

  • DNS lookups
  • Logging to a FortiAnalyzer or syslog
  • FortiGuard service
  • Sending alert emails
  • Network time protocol traffic (NTP)
  • Sending SNMP traps
  • Quarantining suspicious files and email
To change the management VDOM - GUI:
  1. Select Global > System > VDOM.
  2. Select the new management VDOM.
  3. Select Switch Management.
  4. Select OK to confirm the change.
To change the management VDOM - CLI:

config global

config system global

set management-vdom <vdom_name>

end

Assigning interfaces to a VDOM

You can assign an interface to only a single VDOM. By default, all interfaces are assigned to the root VDOM.

If the existing configuration references an interface, you won't be able to change the VDOM assignment for that interface. Because some FortiGate models have a default configuration, you might need to delete existing policies and routes to assign a particular interface to a new VDOM.

To assign an interface to a VDOM - GUI:
  1. Connect to the management VDOM.
  2. Go to Global > Network > Interfaces and edit the interface.
  3. Set Virtual Domain to the appropriate VDOM.
  4. Select OK.
To assign an interface to a VDOM - CLI:

config global

config system interface

edit <interface_name>

set vdom <VDOM_name>

next

end

If you want to use the same physical interface for multiple VDOMs, you can use an enhanced MAC VLAN. For more information, see Enhanced MAC VLANs.

Per-VDOM administrators

After you enable VDOMs, you can create administrators with access to several VDOMs or limited to a single VDOM, called per-VDOM administrators.

Per-VDOM administrators must have either the prof_admin profile or a custom profile. Administrators who have the super_admin profile have access to all VDOMs on the FortiGate. For more information, see Administrators.

Per-VDOM administrators must access the FortiGate through network interfaces that belong to those VDOMs, which must be configured to allow management access. The administrator can also connect using the console interface.

When per-VDOM administrators log into their virtual domain, they see a different dashboard than the global administrator sees. The VDOM dashboard displays information only relevant to that VDOM, while information about global settings or other VDOMs aren't shown.

Information

Per-VDOM

Global

System information

read-only

yes

License information

no

yes

CLI console

yes

yes

Unit operation

read-only

yes

Alert message console

no

yes

Top sessions

limited to VDOM sessions

yes

Traffic

limited to VDOM interfaces

yes

Statistics

yes

yes

You can create administrators globally or per-VDOM. To assign an administrator to multiple VDOMs, you must create the account at the global level.

When creating an administrator at the per-VDOM level, the super_admin profile can't be used.

To create per-VDOM administrators - GUI:
  1. Connect to the management VDOM.
  2. Go to Global > System > Administrators and select Create New.
  3. Set the User Name for the account.
  4. Set and confirm the Password.
  5. Set Type to Local User.
  6. Remove the root VDOM from the Virtual Domains list, then add the appropriate VDOM.
  7. Select OK.
To create per-VDOM administrators - CLI:

config global

config system admin

edit <name>

set vdom <VDOM_name>

set password <password>

set accprofile <admin_profile>

next

end

Certificate management

The following factory default certificates are unique to each VDOM and are automatically generated when a new VDOM is added:

  • Fortinet_CA_SSL
  • Fortinet_SSL
  • PositiveSSL_CA
  • Fortinet_Wifi
  • Fortinet_Factory

You can upload certificates to either the global certificate store or the certificate store for a specific VDOM. Global certificates are available to all VDOMs on the FortiGate, while VDOM certificates are available only for a single VDOM.

Security profiles

A single VDOM can use all the security features that are available to a FortiGate that does not use VDOMs.

When applying security profiles, you can use global security profiles, which are available for use by multiple VDOMs, as well as VDOM-level security profiles. Both types of profiles can be used together on the same VDOM.

VDOM-level security profiles

If you create a security profile on a specific VDOM, that profile is only available on that VDOM. When using a global administrator account, you can create, edit, and delete VDOM-level security profiles by using the drop-down menu to access the VDOM, then going to the Security Profiles menu.

Global security profiles

You can configure global security profiles for use by multiple VDOMs, to avoid creating identical profiles for each VDOM individually. Global profiles are available for the following security features:

  • Antivirus
  • Application control
  • Data leak prevention
  • Intrusion protection
  • Web filtering

Some security profile features, such as URL filters, are not available for use in a global profile.

The name for any global profile must start with "g-" for identification. Global profiles are available as read-only for VDOM-level administrators and can only be edited or deleted from within the global settings. Each security feature has at least one default global profile.

Global profiles are configured by going to Global > Security Profiles in the GUI or under the following config global commands in the CLI:

  • antivirus profile
  • application list
  • dlp sensor
  • ips sensor
  • webfilter profile

Disabling a VDOM

When you create a new VDOM, it's enabled by default. You can configure a VDOM only while it is enabled. You must enable the management VDOM.

Disabled VDOMs are considered offline. The configuration remains, but you can't use the VDOM and only the super_admin administrator can view it. You can assign interfaces to a disabled VDOM.

To disable a VDOM - GUI:
  1. Go to Global > System > VDOM.
  2. Open the VDOM for editing.
  3. Ensure Enable is not selected.
  4. Select OK.
To disable a VDOM - CLI:

config vdom

edit <name>

config system settings

set status disable

end

end

Deleting a VDOM

Deleting a VDOM removes it from the FortiGate configuration. You can't delete the root VDOM or the management VDOM, and you can't delete a disabled VDOM.

You can delete only VDOMs that aren't referenced by the current configuration, including any per-VDOM objects. Before you delete a VDOM, check for, and remove the following objects that refer to that VDOM or its components:

  • Routing - both static and dynamic routes
  • Firewall addresses, policies, groups, or other settings
  • Security profiles
  • VPN configuration
  • Users or user groups
  • Logging
  • DHCP servers
  • Network interfaces, zones, and custom DNS servers
  • VDOM administrators

Before you delete a VDOM, it's recommended that you re-assign interfaces assigned to that VDOM to the root VDOM.

To delete a VDOM - GUI:
  1. Go to Global > System > VDOM.
  2. Select the check box for the VDOM and then select the Delete icon.
  3. Confirm the deletion.
To delete a VDOM - CLI:

config vdom

delete <name>

end

Configuring additional VDOMs

This section contains the following topics:

Creating a VDOM

note icon

FortiGate performance might be reduced if you create a large number of VDOMs.

To create new VDOMs, you must use a super_admin profile account and connect to the management VDOM (the root VDOM, by default).

By default, new VDOMs are set to NAT mode. If you want a VDOM to be in transparent mode, you must manually change the operation mode using the CLI. For more information, see Transparent mode.

To create a VDOM - GUI:
  1. Connect to the management VDOM.
  2. Go to Global > System > VDOM and select Create New.
  3. Enter a unique Name. VDOM names have the following restrictions:
    • Only letters, numbers, “-”, and “_” are allowed
    • No more than 11 characters are allowed
    • No spaces are allowed
    • VDOMs can't have the same names as interfaces, zones, switch interfaces, or other VDOMs
  4. Enter a short and descriptive comment to identify this VDOM.
  5. Select OK.
To create a VDOM - CLI:

config system vdom

edit <new_vdom_name>

end

note icon

If you attempt to edit an existing VDOM in the CLI and mistype the name, a new VDOM is created with this name.

The new VDOM can either be renamed or deleted. For more information, see Deleting a VDOM.

Changing the management VDOM

note icon

You can't change the management VDOM if any administrators are using RADIUS authentication.

Once you have two or more VDOMs, you can change the management VDOM. The management VDOM must have Internet access.

You use the management VDOM to access global settings on the FortiGate, as well as for the following services:

  • DNS lookups
  • Logging to a FortiAnalyzer or syslog
  • FortiGuard service
  • Sending alert emails
  • Network time protocol traffic (NTP)
  • Sending SNMP traps
  • Quarantining suspicious files and email
To change the management VDOM - GUI:
  1. Select Global > System > VDOM.
  2. Select the new management VDOM.
  3. Select Switch Management.
  4. Select OK to confirm the change.
To change the management VDOM - CLI:

config global

config system global

set management-vdom <vdom_name>

end

Assigning interfaces to a VDOM

You can assign an interface to only a single VDOM. By default, all interfaces are assigned to the root VDOM.

If the existing configuration references an interface, you won't be able to change the VDOM assignment for that interface. Because some FortiGate models have a default configuration, you might need to delete existing policies and routes to assign a particular interface to a new VDOM.

To assign an interface to a VDOM - GUI:
  1. Connect to the management VDOM.
  2. Go to Global > Network > Interfaces and edit the interface.
  3. Set Virtual Domain to the appropriate VDOM.
  4. Select OK.
To assign an interface to a VDOM - CLI:

config global

config system interface

edit <interface_name>

set vdom <VDOM_name>

next

end

If you want to use the same physical interface for multiple VDOMs, you can use an enhanced MAC VLAN. For more information, see Enhanced MAC VLANs.

Per-VDOM administrators

After you enable VDOMs, you can create administrators with access to several VDOMs or limited to a single VDOM, called per-VDOM administrators.

Per-VDOM administrators must have either the prof_admin profile or a custom profile. Administrators who have the super_admin profile have access to all VDOMs on the FortiGate. For more information, see Administrators.

Per-VDOM administrators must access the FortiGate through network interfaces that belong to those VDOMs, which must be configured to allow management access. The administrator can also connect using the console interface.

When per-VDOM administrators log into their virtual domain, they see a different dashboard than the global administrator sees. The VDOM dashboard displays information only relevant to that VDOM, while information about global settings or other VDOMs aren't shown.

Information

Per-VDOM

Global

System information

read-only

yes

License information

no

yes

CLI console

yes

yes

Unit operation

read-only

yes

Alert message console

no

yes

Top sessions

limited to VDOM sessions

yes

Traffic

limited to VDOM interfaces

yes

Statistics

yes

yes

You can create administrators globally or per-VDOM. To assign an administrator to multiple VDOMs, you must create the account at the global level.

When creating an administrator at the per-VDOM level, the super_admin profile can't be used.

To create per-VDOM administrators - GUI:
  1. Connect to the management VDOM.
  2. Go to Global > System > Administrators and select Create New.
  3. Set the User Name for the account.
  4. Set and confirm the Password.
  5. Set Type to Local User.
  6. Remove the root VDOM from the Virtual Domains list, then add the appropriate VDOM.
  7. Select OK.
To create per-VDOM administrators - CLI:

config global

config system admin

edit <name>

set vdom <VDOM_name>

set password <password>

set accprofile <admin_profile>

next

end

Certificate management

The following factory default certificates are unique to each VDOM and are automatically generated when a new VDOM is added:

  • Fortinet_CA_SSL
  • Fortinet_SSL
  • PositiveSSL_CA
  • Fortinet_Wifi
  • Fortinet_Factory

You can upload certificates to either the global certificate store or the certificate store for a specific VDOM. Global certificates are available to all VDOMs on the FortiGate, while VDOM certificates are available only for a single VDOM.

Security profiles

A single VDOM can use all the security features that are available to a FortiGate that does not use VDOMs.

When applying security profiles, you can use global security profiles, which are available for use by multiple VDOMs, as well as VDOM-level security profiles. Both types of profiles can be used together on the same VDOM.

VDOM-level security profiles

If you create a security profile on a specific VDOM, that profile is only available on that VDOM. When using a global administrator account, you can create, edit, and delete VDOM-level security profiles by using the drop-down menu to access the VDOM, then going to the Security Profiles menu.

Global security profiles

You can configure global security profiles for use by multiple VDOMs, to avoid creating identical profiles for each VDOM individually. Global profiles are available for the following security features:

  • Antivirus
  • Application control
  • Data leak prevention
  • Intrusion protection
  • Web filtering

Some security profile features, such as URL filters, are not available for use in a global profile.

The name for any global profile must start with "g-" for identification. Global profiles are available as read-only for VDOM-level administrators and can only be edited or deleted from within the global settings. Each security feature has at least one default global profile.

Global profiles are configured by going to Global > Security Profiles in the GUI or under the following config global commands in the CLI:

  • antivirus profile
  • application list
  • dlp sensor
  • ips sensor
  • webfilter profile

Disabling a VDOM

When you create a new VDOM, it's enabled by default. You can configure a VDOM only while it is enabled. You must enable the management VDOM.

Disabled VDOMs are considered offline. The configuration remains, but you can't use the VDOM and only the super_admin administrator can view it. You can assign interfaces to a disabled VDOM.

To disable a VDOM - GUI:
  1. Go to Global > System > VDOM.
  2. Open the VDOM for editing.
  3. Ensure Enable is not selected.
  4. Select OK.
To disable a VDOM - CLI:

config vdom

edit <name>

config system settings

set status disable

end

end

Deleting a VDOM

Deleting a VDOM removes it from the FortiGate configuration. You can't delete the root VDOM or the management VDOM, and you can't delete a disabled VDOM.

You can delete only VDOMs that aren't referenced by the current configuration, including any per-VDOM objects. Before you delete a VDOM, check for, and remove the following objects that refer to that VDOM or its components:

  • Routing - both static and dynamic routes
  • Firewall addresses, policies, groups, or other settings
  • Security profiles
  • VPN configuration
  • Users or user groups
  • Logging
  • DHCP servers
  • Network interfaces, zones, and custom DNS servers
  • VDOM administrators

Before you delete a VDOM, it's recommended that you re-assign interfaces assigned to that VDOM to the root VDOM.

To delete a VDOM - GUI:
  1. Go to Global > System > VDOM.
  2. Select the check box for the VDOM and then select the Delete icon.
  3. Confirm the deletion.
To delete a VDOM - CLI:

config vdom

delete <name>

end