Fortinet white logo
Fortinet white logo

Administration Guide

Virtual Domains

Virtual Domains

Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network.

There are two VDOM modes:

  • Split-task VDOM mode: One VDOM is used only for management, and the other is used to manage traffic. See Split-task VDOM mode.
  • Multi VDOM mode: Multiple VDOMs can be created and managed as independent units. See Multi VDOM mode.

By default, most FortiGate units support 10 VDOMs, and many FortiGate models support purchasing a license key to increase the maximum number.

Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as interfaces, firmware, DNS, some logging and sandboxing options, and others. Global settings should only be changed by top level administrators.

Tooltip

Enable the following to prevent accidentally creating VDOMs in the CLI:

config system global
    set edit-vdom-prompt enable
end

The FortiGate displays a prompt to confirm before the VDOM is created.

Switching VDOM modes

Current VDOM mode

New VDOM mode

Rule

No VDOM

Split-task VDOM

Allowed

Split-task VDOM

No VDOM

Allowed

No VDOM

Multi VDOM

Allowed only if the FortiGate is not a member of a Security Fabric. See Configuring the root FortiGate and downstream FortiGates for more information.

Multi VDOM

No VDOM

Allowed

Split-task VDOM

Multi VDOM

Allowed only if the FortiGate is not a member of a Security Fabric. See Configuring the root FortiGate and downstream FortiGates for more information.

Multi VDOM

Split-task VDOM

Not Allowed. User must first switch to No VDOM

Virtual Domains

Virtual Domains

Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network.

There are two VDOM modes:

  • Split-task VDOM mode: One VDOM is used only for management, and the other is used to manage traffic. See Split-task VDOM mode.
  • Multi VDOM mode: Multiple VDOMs can be created and managed as independent units. See Multi VDOM mode.

By default, most FortiGate units support 10 VDOMs, and many FortiGate models support purchasing a license key to increase the maximum number.

Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as interfaces, firmware, DNS, some logging and sandboxing options, and others. Global settings should only be changed by top level administrators.

Tooltip

Enable the following to prevent accidentally creating VDOMs in the CLI:

config system global
    set edit-vdom-prompt enable
end

The FortiGate displays a prompt to confirm before the VDOM is created.

Switching VDOM modes

Current VDOM mode

New VDOM mode

Rule

No VDOM

Split-task VDOM

Allowed

Split-task VDOM

No VDOM

Allowed

No VDOM

Multi VDOM

Allowed only if the FortiGate is not a member of a Security Fabric. See Configuring the root FortiGate and downstream FortiGates for more information.

Multi VDOM

No VDOM

Allowed

Split-task VDOM

Multi VDOM

Allowed only if the FortiGate is not a member of a Security Fabric. See Configuring the root FortiGate and downstream FortiGates for more information.

Multi VDOM

Split-task VDOM

Not Allowed. User must first switch to No VDOM