Fortinet black logo

Administration Guide

General configurations

VDOMs can be configured in the GUI and the CLI. To ensure that no VDOMs are accidentally configured in the CLI, prompts can be enabled. These prompts will display to ask for confirmation that the VDOM is meant to be configured in the CLI.

To configure confirmation prompts:
config system global
    set edit-vdom-prompt enable
end

The following topics provide information on general VDOM configurations:

Enable multi VDOM mode

Enable multi VDOM mode and create the VDOMs in the GUI and CLI.

Note

On FortiGate 90 series models and lower, VDOMs can only be enabled using the CLI.

To enable VDOMs in the GUI:
  1. Go to System > Settings.

  2. In the System Operation Settings sections, enable Virtual Domains.

  3. Click OK.

To enable VDOMs in the CLI:
config system global
    set vdom-mode multi-vdom
end

You will be logged out of the device when the VDOM mode is enabled.

Management VDOM

By default, the management VDOM is root. The management VDOM can be manually assigned from the GUI or the CLI.

To assign the management VDOM in the GUI:
  1. In the Global VDOM, go to System > VDOM.

  2. Select the VDOM you want to assign as the management VDOM.

  3. Click Switch Management.

  4. Click OK.

To assign the management VDOM in the CLI:
config global
    config system global
        set management-vdom <vdom>
    end
end
Note

Only one management VDOM can exist at a time. It is strongly recommended that the management VDOM have Internet access otherwise management-related services, such as FortiGuard updates and queries, will not work.

Global and per-VDOM resources

Global resources apply to resources that are shared by the whole FortiGate, while per-VDOM resources are specific to each VDOM.

To configure global resources:
  1. In the Global VDOM, go to System > Global Resources.

  2. Enable the resource's override in the Override Maximum column, then enter the override value.

  3. Click Apply.

    To reset all of the override values, click Reset All.

To configure per-VDOM resources:
  1. In the Global VDOM, go to System > VDOM.

  2. Select the VDOM whose resources need to be configured and click Edit.

  3. Enable the resource's override in the Override Maximum column, then enter the override value.

  4. Optionally, enter a value in the Guaranteed column.

  5. Click OK.

    To reset all of the override values, click Reset All.

Create per-VDOM administrators

Per-VDOM administrators can be created that can access only the administrative or traffic VDOM. These administrators must use either the prof_admin administrator profile, or a custom profile.

A per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM that they are assigned to. The interface must also be configured to allow management access. They can also connect to the FortiGate using the console port.

To assign an administrator to multiple VDOMs, they must be created at the global level. When creating an administrator at the VDOM level, the super_admin administrator profile cannot be used.

To create a per-VDOM administrator in the GUI:
  1. On the FortiGate, connect to the Global VDOM.

  2. Go to System > Administrators and click Create New > Administrator.

  3. Fill in the required information, setting the Type as Local User.

  4. In the Virtual Domains field, add the VDOM that the administrator will be assigned to, and if necessary, remove the other VDOM from the list.

  5. Click OK.

To create a per-VDOM administrator using the CLI:
config global
    config system admin
        edit <name>
            set vdom <VDOM_name>
            set password <password>
            set accprofile <admin_profile>
            ...
        next
    end
end

Configure an administrative VDOM type

Individual VDOMs can be configured as an administrative type in multi VDOM mode.

Note

Only one administrative VDOM can exist at a time and cannot be set on a FortiWifi. A VDOM cannot be an administrative type and in transparent mode at the same time.

To configure an administrative VDOM in the GUI:
  1. Go to System > VDOM.

  2. Click Create New.

  3. Enter a Virtual Domain name and set the Type to Admin.

  4. Click OK.

  5. Click OK in the confirmation pane. The administrative VDOM is created.

To configure the VDOM type in the CLI:
config system settings
    set vdom-type {traffic | admin}
end

Assign interfaces to a VDOM

An interface can only be assigned to one of the VDOMs. An interface cannot be moved if it is referenced in an existing configuration.

Tooltip

In the GUI, the interface list Ref. column shows if the interface is referenced in an existing configuration, and allows you to quickly access and edit those references.

To assign an interface to a VDOM in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.

  2. Select the interface that will be assigned to a VDOM and click Edit.

  3. Select the VDOM that the interface will be assigned to from the Virtual Domain list.

  4. Click OK.

To assign an interface to a VDOM using the CLI:
config global
    config system interface
        edit <interface>
            set vdom <VDOM_name>
        next
    end
end

Inter-VDOM routing

VDOM links allow VDOMs to communicate internally without using additional physical interfaces.

Note

VDOM link does not support traffic offload. If you want to use traffic offload, use NPU-VDOM-LINK. See Configuring inter-VDOM link acceleration with NP6 processors in the Hardware Acceleration guide for details.

To configure a VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.
  2. Click Create New > VDOM Link.
  3. Configure the fields, including the Name, Virtual Domain, IP information, Administrative Access, and so on, then click OK.
Note

By default, VDOM links are created as point-to-point (ppp) links. If required, the link type can be changed in the CLI.

For example, when running OSPF in IPv6, a link-local address is required in order to communicate with OSPF neighbors. For a VDOM link to obtain a link-local address, its type must be set to ethernet.

To configure a VDOM link in the CLI:
config global
    config system vdom-link
        edit "<vdom-link-name>"
            set type {ppp | ethernet}
        next
    end
    config system interface
        edit "<vdom-link-name0>"
            set vdom "<VDOM Name>"
            set type vdom-link
        next
        edit "<vdom-link-name1>"
            set vdom "<VDOM Name>"
            set type vdom-link
        next
    end
end
To delete a VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.
  2. Select a VDOM Link and click Delete.
To delete a VDOM link in the CLI:
config global
    config system vdom-link
        delete <VDOM-LINK-Name>
    end
end

Allow FortiGuard services and updates to initiate from a traffic VDOM

In multi VDOM mode, users can choose from which VDOM FortiGuard services and updates are initiated from, instead of being locked to the management VDOM. This allows deployment scenarios where the management VDOM resides in a closed management network.

When the management VDOM resides in a closed network, it does not have internet access. FortiGuard services (FortiGuard updates, web filters, DNS proxy, DDNS, and so on) must be configured in a VDOM with Internet access in order to work. Therefore, in the example above, change the FortiGuard settings to initiate from the root VDOM.

To configure FortiGuard services on a traffic VDOM:
  1. Set up a traffic VDOM for FortiGuard services:

    config global
        config system fortiguard
            set vdom "root"
        end
    end
  2. Ensure the traffic VDOM has the correct gateway to reach the internet:

    config vdom
        edit root
            config router static
                edit 1
                    set gateway 172.16.200.254
                    set device "wan1"
                next
            end
        next
    end
  3. Configure the DNS servers to ensure the FortiGuard services can resolve the server name through the traffic VDOM:

    config vdom
        edit root
            config system vdom-dns
                set vdom-dns enable
                set primary 208.91.112.53
                set secondary 208.91.112.52
            end
        next
    end

VDOMs can be configured in the GUI and the CLI. To ensure that no VDOMs are accidentally configured in the CLI, prompts can be enabled. These prompts will display to ask for confirmation that the VDOM is meant to be configured in the CLI.

To configure confirmation prompts:
config system global
    set edit-vdom-prompt enable
end

The following topics provide information on general VDOM configurations:

Enable multi VDOM mode

Enable multi VDOM mode and create the VDOMs in the GUI and CLI.

Note

On FortiGate 90 series models and lower, VDOMs can only be enabled using the CLI.

To enable VDOMs in the GUI:
  1. Go to System > Settings.

  2. In the System Operation Settings sections, enable Virtual Domains.

  3. Click OK.

To enable VDOMs in the CLI:
config system global
    set vdom-mode multi-vdom
end

You will be logged out of the device when the VDOM mode is enabled.

Management VDOM

By default, the management VDOM is root. The management VDOM can be manually assigned from the GUI or the CLI.

To assign the management VDOM in the GUI:
  1. In the Global VDOM, go to System > VDOM.

  2. Select the VDOM you want to assign as the management VDOM.

  3. Click Switch Management.

  4. Click OK.

To assign the management VDOM in the CLI:
config global
    config system global
        set management-vdom <vdom>
    end
end
Note

Only one management VDOM can exist at a time. It is strongly recommended that the management VDOM have Internet access otherwise management-related services, such as FortiGuard updates and queries, will not work.

Global and per-VDOM resources

Global resources apply to resources that are shared by the whole FortiGate, while per-VDOM resources are specific to each VDOM.

To configure global resources:
  1. In the Global VDOM, go to System > Global Resources.

  2. Enable the resource's override in the Override Maximum column, then enter the override value.

  3. Click Apply.

    To reset all of the override values, click Reset All.

To configure per-VDOM resources:
  1. In the Global VDOM, go to System > VDOM.

  2. Select the VDOM whose resources need to be configured and click Edit.

  3. Enable the resource's override in the Override Maximum column, then enter the override value.

  4. Optionally, enter a value in the Guaranteed column.

  5. Click OK.

    To reset all of the override values, click Reset All.

Create per-VDOM administrators

Per-VDOM administrators can be created that can access only the administrative or traffic VDOM. These administrators must use either the prof_admin administrator profile, or a custom profile.

A per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM that they are assigned to. The interface must also be configured to allow management access. They can also connect to the FortiGate using the console port.

To assign an administrator to multiple VDOMs, they must be created at the global level. When creating an administrator at the VDOM level, the super_admin administrator profile cannot be used.

To create a per-VDOM administrator in the GUI:
  1. On the FortiGate, connect to the Global VDOM.

  2. Go to System > Administrators and click Create New > Administrator.

  3. Fill in the required information, setting the Type as Local User.

  4. In the Virtual Domains field, add the VDOM that the administrator will be assigned to, and if necessary, remove the other VDOM from the list.

  5. Click OK.

To create a per-VDOM administrator using the CLI:
config global
    config system admin
        edit <name>
            set vdom <VDOM_name>
            set password <password>
            set accprofile <admin_profile>
            ...
        next
    end
end

Configure an administrative VDOM type

Individual VDOMs can be configured as an administrative type in multi VDOM mode.

Note

Only one administrative VDOM can exist at a time and cannot be set on a FortiWifi. A VDOM cannot be an administrative type and in transparent mode at the same time.

To configure an administrative VDOM in the GUI:
  1. Go to System > VDOM.

  2. Click Create New.

  3. Enter a Virtual Domain name and set the Type to Admin.

  4. Click OK.

  5. Click OK in the confirmation pane. The administrative VDOM is created.

To configure the VDOM type in the CLI:
config system settings
    set vdom-type {traffic | admin}
end

Assign interfaces to a VDOM

An interface can only be assigned to one of the VDOMs. An interface cannot be moved if it is referenced in an existing configuration.

Tooltip

In the GUI, the interface list Ref. column shows if the interface is referenced in an existing configuration, and allows you to quickly access and edit those references.

To assign an interface to a VDOM in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.

  2. Select the interface that will be assigned to a VDOM and click Edit.

  3. Select the VDOM that the interface will be assigned to from the Virtual Domain list.

  4. Click OK.

To assign an interface to a VDOM using the CLI:
config global
    config system interface
        edit <interface>
            set vdom <VDOM_name>
        next
    end
end

Inter-VDOM routing

VDOM links allow VDOMs to communicate internally without using additional physical interfaces.

Note

VDOM link does not support traffic offload. If you want to use traffic offload, use NPU-VDOM-LINK. See Configuring inter-VDOM link acceleration with NP6 processors in the Hardware Acceleration guide for details.

To configure a VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.
  2. Click Create New > VDOM Link.
  3. Configure the fields, including the Name, Virtual Domain, IP information, Administrative Access, and so on, then click OK.
Note

By default, VDOM links are created as point-to-point (ppp) links. If required, the link type can be changed in the CLI.

For example, when running OSPF in IPv6, a link-local address is required in order to communicate with OSPF neighbors. For a VDOM link to obtain a link-local address, its type must be set to ethernet.

To configure a VDOM link in the CLI:
config global
    config system vdom-link
        edit "<vdom-link-name>"
            set type {ppp | ethernet}
        next
    end
    config system interface
        edit "<vdom-link-name0>"
            set vdom "<VDOM Name>"
            set type vdom-link
        next
        edit "<vdom-link-name1>"
            set vdom "<VDOM Name>"
            set type vdom-link
        next
    end
end
To delete a VDOM link in the GUI:
  1. In the Global VDOM, go to Network > Interfaces.
  2. Select a VDOM Link and click Delete.
To delete a VDOM link in the CLI:
config global
    config system vdom-link
        delete <VDOM-LINK-Name>
    end
end

Allow FortiGuard services and updates to initiate from a traffic VDOM

In multi VDOM mode, users can choose from which VDOM FortiGuard services and updates are initiated from, instead of being locked to the management VDOM. This allows deployment scenarios where the management VDOM resides in a closed management network.

When the management VDOM resides in a closed network, it does not have internet access. FortiGuard services (FortiGuard updates, web filters, DNS proxy, DDNS, and so on) must be configured in a VDOM with Internet access in order to work. Therefore, in the example above, change the FortiGuard settings to initiate from the root VDOM.

To configure FortiGuard services on a traffic VDOM:
  1. Set up a traffic VDOM for FortiGuard services:

    config global
        config system fortiguard
            set vdom "root"
        end
    end
  2. Ensure the traffic VDOM has the correct gateway to reach the internet:

    config vdom
        edit root
            config router static
                edit 1
                    set gateway 172.16.200.254
                    set device "wan1"
                next
            end
        next
    end
  3. Configure the DNS servers to ensure the FortiGuard services can resolve the server name through the traffic VDOM:

    config vdom
        edit root
            config system vdom-dns
                set vdom-dns enable
                set primary 208.91.112.53
                set secondary 208.91.112.52
            end
        next
    end