Fortinet black logo

Handbook

Enabling VDOMs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:620899
Download PDF

Enabling VDOMs

This section contains the following topics:

The root VDOM

On every FortiGate there is a root VDOM that you can't delete. When VDOMs are disabled, the root VDOM isn't visible. When VDOMs are enabled, the root VDOM is visible. The root VDOM is the only VDOM available for configuration, until you enable VDOMs.

Typically, you use the root VDOM as the management VDOM. By connecting to the management VDOM, you can access the global settings for the FortiGate as well as the settings for each individual VDOM. You can set any VDOM to be the management VDOM.

Enabling virtual domains

VDOMs are disabled by default. When you enable VDOMs on your FortiGate, your current configuration is saved, with all parts assigned to the root VDOM. Also, no reboot is required when enabling VDOMs.

To enable VDOMs - GUI:
  1. Go to System > Settings.
  2. Under Operations Settings, enable Virtual Domains.

The FortiGate logs off all sessions. You can now log in again as admin.

To enable VDOMs - CLI:

config system global

set vdom-admin enable

end

Global and per-VDOM settings

Settings that you configure outside a VDOM are called global settings. These settings affect the entire FortiGate and include areas such as interfaces, DNS, firmware, etc. This also includes some logging and sandboxing options, such as FortiAnalyzer, SNMP, and FortiSandbox. Global settings should only be changed by your top level administrator.

Settings that you configure within a VDOM are called VDOM settings. These settings affect only a specific VDOM and include areas such as operating mode, routing, firewall, VPN, some antivirus, some logging settings, and reporting.

When virtual domains are disabled, the entire FortiGate is effectively a single VDOM, but per-VDOM limits apply. For some resource types, the global limit can't be reached with only one VDOM.

Changes to the GUI and CLI

When you enable VDOMs, the FortiGate GUI and the CLI change, allowing you to manage both global settings and per-VDOM settings. Only admin accounts using the super_admin profile can access global options and settings for all VDOMs. Other administrator accounts can configure only the VDOM they're assigned to.

Other changes only affect either the GUI or the CLI.

GUI:
  • When you access the management VDOM (this is the root VDOM by default), you can use the drop-down menu in the top left of the GUI to switch between global and per-VDOM settings. Some menu items only appear under Global, while others only appear as per-VDOM settings.
  • A menu item is available at Global > System > VDOM. You use this to create, edit, and delete VDOMs.
  • A menu item is available at Global > System > Global Resources. You use this to manage how system resources are shared between VDOMs.
CLI:
  • To configure global settings, you must first enter the following CLI to select global options:

config global

  • To configure per-VDOM settings, you must first enter the following CLI to select a VDOM:

config vdom

edit <vdom_name>

Resource settings

Your FortiGate has a limited amount of hardware resources, such as memory, disk storage, and CPU operations. When you use VDOMs, you can control how resources are shared between each VDOM to optimize resource usage. This allows you to ensure the proper level of service is maintained on each VDOM.

For example, if one VDOM is connected to a web server and logging server, and a second VDOM is connected to an internal network of 20 users, these two VDOMs require different levels of resources. The first VDOM requires many sessions but no user accounts. The second VDOM is the opposite, requiring user accounts and management resources, but fewer sessions.

Global resources

Global resources apply to the entire FortiGate. By default, the values are set to their maximum values. These values vary by FortiGate model because each model has different hardware capabilities. It can be useful to change the maximum values for some resources to ensure there is enough memory available for other resources that might be more important to your configuration.

For example, if your FortiGate is protecting a number of web servers and other publicly accessible servers, you should maximize the available sessions and proxies, and minimize unused settings, such as users or VPNs.

To view the resource list, go to Global > System > Global Resources. You can also use the following CLI command:

config global

config system resource-limits

get

Note that some global resources are only be visible if your FortiGate supports those resources. For example, the quota for logging to disk is only visible when your FortiGate has a hard disk.

note icon

For explicit proxies, when you configure limits on the number of concurrent users, you need to allow for the number of users based on their authentication method. Otherwise you might run out of user resources. Each session-based authenticated user is counted as a single user using their authentication membership (RADIUS, LDAP, FSAE, local database, etc.) to match users in other sessions. So one authenticated user in multiple sessions is still one user. For all other situations, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

Per-VDOM resource settings

Each VDOM has its own resource settings, including both maximum and minimum levels. By default, all per-VDOM resource settings are set to allow the maximum. The maximum level is the highest amount of that resource that the VDOM can use if it is available on the FortiGate. Minimum levels are guaranteed levels that are always available, no matter what resources other VDOMs are using.

For example, one VDOM, called VDOM-1, has a maximum of 5000 sessions and a minimum of 1000 sessions. If the FortiGate has a global maximum of 20,000 sessions split among 10 VDOMs, it is possible that VDOM-1 won't be able to reach the 5000 session maximum. However, at all times VDOM-1 is guaranteed to have 1000 sessions available.

To view per-VDOM resource settings - GUI:
  1. Select Global > System > VDOM.
  2. Select the root VDOM, and select Edit.
  3. Adjust the settings in the Resource Usage section of the page.
  1. Select OK.
To view per-VDOM resource settings - CLI:

config global

config system vdom-property

edit root

get

Increasing the maximum number of VDOMs

By default, most FortiGate models support a maximum of 10 VDOMs. For certain models, you can purchase a license key to increase the maximum number of VDOMs.

To find out how many VDOMs your FortiGate can support, refer to the data sheet for your model. For more information, see the Fortinet Data Sheets.

note icon

It is important to back up your configuration before upgrading the VDOM license on your FortiGate, especially if you're using HA mode.

To obtain a VDOM license key
  1. Log in with a super_admin account.
  2. Go to the Dashboard.
  3. Record your FortiGate serial number as shown in System Information widget.
  4. In the License Information widget, locate Virtual Domain and select Purchase More.

    note icon

    If you don't see the Purchase More option, your FortiGate model does not support more than 10 VDOMs.

  5. You are directed to the Fortinet Support website, where you can log in and purchase a license key.
  6. After you receive your license key, go to the Dashboard and select Upload License under License Information, Virtual Domains.
  7. In the Input License Key field, enter the license key you received from Fortinet Support.
  8. Select Apply.

To verify the new VDOM license, in global configuration go to System > Dashboard. The Licenses widget shows the current number and total allowed number of VDOMs.

Related Videos

sidebar video

How to Purchase Additional VDOM licenses for FortiOS v5.6 and v6.0

  • 3,216 views
  • 5 years ago

Enabling VDOMs

This section contains the following topics:

The root VDOM

On every FortiGate there is a root VDOM that you can't delete. When VDOMs are disabled, the root VDOM isn't visible. When VDOMs are enabled, the root VDOM is visible. The root VDOM is the only VDOM available for configuration, until you enable VDOMs.

Typically, you use the root VDOM as the management VDOM. By connecting to the management VDOM, you can access the global settings for the FortiGate as well as the settings for each individual VDOM. You can set any VDOM to be the management VDOM.

Enabling virtual domains

VDOMs are disabled by default. When you enable VDOMs on your FortiGate, your current configuration is saved, with all parts assigned to the root VDOM. Also, no reboot is required when enabling VDOMs.

To enable VDOMs - GUI:
  1. Go to System > Settings.
  2. Under Operations Settings, enable Virtual Domains.

The FortiGate logs off all sessions. You can now log in again as admin.

To enable VDOMs - CLI:

config system global

set vdom-admin enable

end

Global and per-VDOM settings

Settings that you configure outside a VDOM are called global settings. These settings affect the entire FortiGate and include areas such as interfaces, DNS, firmware, etc. This also includes some logging and sandboxing options, such as FortiAnalyzer, SNMP, and FortiSandbox. Global settings should only be changed by your top level administrator.

Settings that you configure within a VDOM are called VDOM settings. These settings affect only a specific VDOM and include areas such as operating mode, routing, firewall, VPN, some antivirus, some logging settings, and reporting.

When virtual domains are disabled, the entire FortiGate is effectively a single VDOM, but per-VDOM limits apply. For some resource types, the global limit can't be reached with only one VDOM.

Changes to the GUI and CLI

When you enable VDOMs, the FortiGate GUI and the CLI change, allowing you to manage both global settings and per-VDOM settings. Only admin accounts using the super_admin profile can access global options and settings for all VDOMs. Other administrator accounts can configure only the VDOM they're assigned to.

Other changes only affect either the GUI or the CLI.

GUI:
  • When you access the management VDOM (this is the root VDOM by default), you can use the drop-down menu in the top left of the GUI to switch between global and per-VDOM settings. Some menu items only appear under Global, while others only appear as per-VDOM settings.
  • A menu item is available at Global > System > VDOM. You use this to create, edit, and delete VDOMs.
  • A menu item is available at Global > System > Global Resources. You use this to manage how system resources are shared between VDOMs.
CLI:
  • To configure global settings, you must first enter the following CLI to select global options:

config global

  • To configure per-VDOM settings, you must first enter the following CLI to select a VDOM:

config vdom

edit <vdom_name>

Resource settings

Your FortiGate has a limited amount of hardware resources, such as memory, disk storage, and CPU operations. When you use VDOMs, you can control how resources are shared between each VDOM to optimize resource usage. This allows you to ensure the proper level of service is maintained on each VDOM.

For example, if one VDOM is connected to a web server and logging server, and a second VDOM is connected to an internal network of 20 users, these two VDOMs require different levels of resources. The first VDOM requires many sessions but no user accounts. The second VDOM is the opposite, requiring user accounts and management resources, but fewer sessions.

Global resources

Global resources apply to the entire FortiGate. By default, the values are set to their maximum values. These values vary by FortiGate model because each model has different hardware capabilities. It can be useful to change the maximum values for some resources to ensure there is enough memory available for other resources that might be more important to your configuration.

For example, if your FortiGate is protecting a number of web servers and other publicly accessible servers, you should maximize the available sessions and proxies, and minimize unused settings, such as users or VPNs.

To view the resource list, go to Global > System > Global Resources. You can also use the following CLI command:

config global

config system resource-limits

get

Note that some global resources are only be visible if your FortiGate supports those resources. For example, the quota for logging to disk is only visible when your FortiGate has a hard disk.

note icon

For explicit proxies, when you configure limits on the number of concurrent users, you need to allow for the number of users based on their authentication method. Otherwise you might run out of user resources. Each session-based authenticated user is counted as a single user using their authentication membership (RADIUS, LDAP, FSAE, local database, etc.) to match users in other sessions. So one authenticated user in multiple sessions is still one user. For all other situations, the source IP address is used to determine a user. All sessions from a single source address are assumed to be from the same user.

Per-VDOM resource settings

Each VDOM has its own resource settings, including both maximum and minimum levels. By default, all per-VDOM resource settings are set to allow the maximum. The maximum level is the highest amount of that resource that the VDOM can use if it is available on the FortiGate. Minimum levels are guaranteed levels that are always available, no matter what resources other VDOMs are using.

For example, one VDOM, called VDOM-1, has a maximum of 5000 sessions and a minimum of 1000 sessions. If the FortiGate has a global maximum of 20,000 sessions split among 10 VDOMs, it is possible that VDOM-1 won't be able to reach the 5000 session maximum. However, at all times VDOM-1 is guaranteed to have 1000 sessions available.

To view per-VDOM resource settings - GUI:
  1. Select Global > System > VDOM.
  2. Select the root VDOM, and select Edit.
  3. Adjust the settings in the Resource Usage section of the page.
  1. Select OK.
To view per-VDOM resource settings - CLI:

config global

config system vdom-property

edit root

get

Increasing the maximum number of VDOMs

By default, most FortiGate models support a maximum of 10 VDOMs. For certain models, you can purchase a license key to increase the maximum number of VDOMs.

To find out how many VDOMs your FortiGate can support, refer to the data sheet for your model. For more information, see the Fortinet Data Sheets.

note icon

It is important to back up your configuration before upgrading the VDOM license on your FortiGate, especially if you're using HA mode.

To obtain a VDOM license key
  1. Log in with a super_admin account.
  2. Go to the Dashboard.
  3. Record your FortiGate serial number as shown in System Information widget.
  4. In the License Information widget, locate Virtual Domain and select Purchase More.

    note icon

    If you don't see the Purchase More option, your FortiGate model does not support more than 10 VDOMs.

  5. You are directed to the Fortinet Support website, where you can log in and purchase a license key.
  6. After you receive your license key, go to the Dashboard and select Upload License under License Information, Virtual Domains.
  7. In the Input License Key field, enter the license key you received from Fortinet Support.
  8. Select Apply.

To verify the new VDOM license, in global configuration go to System > Dashboard. The Licenses widget shows the current number and total allowed number of VDOMs.