Virtual Domains
Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network.
There are two VDOM modes:
- Split-task VDOM mode: One VDOM is used only for management, and the other is used to manage traffic. See Split-task VDOM mode.
- Multi VDOM mode: Multiple VDOMs can be created and managed as independent units. See Multi VDOM mode.
By default, most FortiGate units support 10 VDOMs, and many FortiGate models support purchasing a license key to increase the maximum number.
Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as interfaces, firmware, DNS, some logging and sandboxing options, and others. Global settings should only be changed by top level administrators.
Enable the following to prevent accidentally creating VDOMs in the CLI: config system global set edit-vdom-prompt enable end The FortiGate displays a prompt to confirm before the VDOM is created. |
Switching VDOM modes
Current VDOM mode |
New VDOM mode |
Rule |
---|---|---|
No VDOM |
Split-task VDOM |
Allowed |
Split-task VDOM |
No VDOM |
Allowed |
No VDOM |
Multi VDOM |
Allowed only if the FortiGate is not a member of a Security Fabric. See Configuring the root FortiGate and downstream FortiGates for more information. |
Multi VDOM |
No VDOM |
Allowed |
Split-task VDOM |
Multi VDOM |
Allowed only if the FortiGate is not a member of a Security Fabric. See Configuring the root FortiGate and downstream FortiGates for more information. |
Multi VDOM |
Split-task VDOM |
Not Allowed. User must first switch to No VDOM |