Fortinet white logo
Fortinet white logo

Cookbook

Split-task VDOM mode

Split-task VDOM mode

In split-task VDOM mode, the FortiGate has two VDOMs: the management VDOM (root) and the traffic VDOM (FG-traffic).

The management VDOM is used to manage the FortiGate, and cannot be used to process traffic.

The following GUI sections are available when in the management VDOM:

  • The Status dashboard
  • Security Fabric topology and settings (read-only, except for HTTP Service settings)
  • Interface and static route configuration
  • FortiClient configuration
  • Replacement messages
  • Certificates
  • System events
  • Log and email alert settings
  • Threat weight definitions

The traffic VDOM provides separate security policies, and is used to process all network traffic.

The following GUI sections are available when in the traffic VDOM:

  • The Status, Top Usage LAN/DMZ, and Security dashboards
  • Security Fabric topology, settings (read-only, except for HTTP Service settings), and Fabric Connectors (SSO/Identity connectors only)
  • FortiView
  • Interface configuration
  • Packet capture
  • SD-WAN, SD-WAN Rules, and Performance SLA
  • Static and policy routes
  • RIP, OSPF, BGP, and Multicast
  • Replacement messages
  • Feature visibility
  • Tags
  • Certificates
  • Policies and objects
  • Security profiles
  • VPNs
  • User and device authentication
  • Wifi and switch controller
  • Logging
  • Monitoring

Split-task VDOM mode is not available on all FortiGate models. The Fortinet Security Fabric supports split-task VDOM mode.

Enable split-task VDOM mode

Split-task VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of the FortiGate.

Caution

When split-task VDOM mode is enabled, all current management configuration is assigned to the root VDOM, and all non-management settings, such as firewall policies and security profiles, are deleted.

Note

On FortiGate 60 series models and lower, VDOMs can only be enabled using the CLI.

To enable split-task VDOM mode in the GUI:
  1. On the FortiGate, go to System > Settings.
  2. In the System Operation Settings section, enable Virtual Domains.

  3. Select Split-Task VDOM for the VDOM mode.
  4. Select a Dedicated Management Interface from the Interface list. This interface is used to access the management VDOM, and cannot be used in firewall policies.
  5. Click OK.
To enable split-task VDOM mode with the CLI:

config system global

set vdom-mode split-vdom

end

Split-task VDOM mode

Split-task VDOM mode

In split-task VDOM mode, the FortiGate has two VDOMs: the management VDOM (root) and the traffic VDOM (FG-traffic).

The management VDOM is used to manage the FortiGate, and cannot be used to process traffic.

The following GUI sections are available when in the management VDOM:

  • The Status dashboard
  • Security Fabric topology and settings (read-only, except for HTTP Service settings)
  • Interface and static route configuration
  • FortiClient configuration
  • Replacement messages
  • Certificates
  • System events
  • Log and email alert settings
  • Threat weight definitions

The traffic VDOM provides separate security policies, and is used to process all network traffic.

The following GUI sections are available when in the traffic VDOM:

  • The Status, Top Usage LAN/DMZ, and Security dashboards
  • Security Fabric topology, settings (read-only, except for HTTP Service settings), and Fabric Connectors (SSO/Identity connectors only)
  • FortiView
  • Interface configuration
  • Packet capture
  • SD-WAN, SD-WAN Rules, and Performance SLA
  • Static and policy routes
  • RIP, OSPF, BGP, and Multicast
  • Replacement messages
  • Feature visibility
  • Tags
  • Certificates
  • Policies and objects
  • Security profiles
  • VPNs
  • User and device authentication
  • Wifi and switch controller
  • Logging
  • Monitoring

Split-task VDOM mode is not available on all FortiGate models. The Fortinet Security Fabric supports split-task VDOM mode.

Enable split-task VDOM mode

Split-task VDOM mode can be enabled in the GUI or CLI. Enabling it does not require a reboot, but does log you out of the FortiGate.

Caution

When split-task VDOM mode is enabled, all current management configuration is assigned to the root VDOM, and all non-management settings, such as firewall policies and security profiles, are deleted.

Note

On FortiGate 60 series models and lower, VDOMs can only be enabled using the CLI.

To enable split-task VDOM mode in the GUI:
  1. On the FortiGate, go to System > Settings.
  2. In the System Operation Settings section, enable Virtual Domains.

  3. Select Split-Task VDOM for the VDOM mode.
  4. Select a Dedicated Management Interface from the Interface list. This interface is used to access the management VDOM, and cannot be used in firewall policies.
  5. Click OK.
To enable split-task VDOM mode with the CLI:

config system global

set vdom-mode split-vdom

end