General configurations
VDOMs can be configured in the GUI and the CLI. To ensure that no VDOMs are accidentally configured in the CLI, prompts can be enabled. These prompts will display to ask for confirmation that the VDOM is meant to be configured in the CLI.
To configure confirmation prompts:
config system global set edit-vdom-prompt enable end
The following topics provide information on general VDOM configurations:
Enable multi VDOM mode
Enable multi VDOM mode and create the VDOMs in the GUI and CLI.
On FortiGate 90 series models and lower, VDOMs can only be enabled using the CLI. |
To enable VDOMs in the GUI:
-
Go to System > Settings.
-
In the System Operation Settings sections, enable Virtual Domains.
-
Click OK.
To enable VDOMs in the CLI:
config system global set vdom-mode multi-vdom end
You will be logged out of the device when the VDOM mode is enabled.
Management VDOM
By default, the management VDOM is root. The management VDOM can be manually assigned from the GUI or the CLI.
To assign the management VDOM in the GUI:
-
In the Global VDOM, go to System > VDOM.
-
Select the VDOM you want to assign as the management VDOM.
-
Click Switch Management.
-
Click OK.
To assign the management VDOM in the CLI:
config global config system global set management-vdom <vdom> end end
Only one management VDOM can exist at a time. It is strongly recommended that the management VDOM have Internet access otherwise management-related services, such as FortiGuard updates and queries, will not work. |
Global and per-VDOM resources
Global resources apply to resources that are shared by the whole FortiGate, while per-VDOM resources are specific to each VDOM.
To configure global resources:
-
In the Global VDOM, go to System > Global Resources.
-
Enable the resource's override in the Override Maximum column, then enter the override value.
-
Click Apply.
To reset all of the override values, click Reset All.
To configure per-VDOM resources:
-
In the Global VDOM, go to System > VDOM.
-
Select the VDOM whose resources need to be configured and click Edit.
-
Enable the resource's override in the Override Maximum column, then enter the override value.
-
Optionally, enter a value in the Guaranteed column.
-
Click OK.
To reset all of the override values, click Reset All.
Create per-VDOM administrators
Per-VDOM administrators can be created that can access only the administrative or traffic VDOM. These administrators must use either the prof_admin administrator profile, or a custom profile.
A per-VDOM administrator can only access the FortiGate through a network interface that is assigned to the VDOM that they are assigned to. The interface must also be configured to allow management access. They can also connect to the FortiGate using the console port.
To assign an administrator to multiple VDOMs, they must be created at the global level. When creating an administrator at the VDOM level, the super_admin administrator profile cannot be used.
To create a per-VDOM administrator in the GUI:
-
On the FortiGate, connect to the Global VDOM.
-
Go to System > Administrators and click Create New > Administrator.
-
Fill in the required information, setting the Type as Local User.
-
In the Virtual Domains field, add the VDOM that the administrator will be assigned to, and if necessary, remove the other VDOM from the list.
-
Click OK.
To create a per-VDOM administrator using the CLI:
config global config system admin edit <name> set vdom <VDOM_name> set password <password> set accprofile <admin_profile> ... next end end
Configure an administrative VDOM type
Individual VDOMs can be configured as an administrative type in multi VDOM mode.
Only one administrative VDOM can exist at a time and cannot be set on a FortiWifi. A VDOM cannot be an administrative type and in transparent mode at the same time. |
To configure an administrative VDOM in the GUI:
-
Go to System > VDOM.
-
Click Create New.
-
Enter a Virtual Domain name and set the Type to Admin.
-
Click OK.
-
Click OK in the confirmation pane. The administrative VDOM is created.
To configure the VDOM type in the CLI:
config system settings set vdom-type {traffic | admin} end
Assign interfaces to a VDOM
An interface can only be assigned to one of the VDOMs. An interface cannot be moved if it is referenced in an existing configuration.
In the GUI, the interface list Ref. column shows if the interface is referenced in an existing configuration, and allows you to quickly access and edit those references. |
To assign an interface to a VDOM in the GUI:
-
In the Global VDOM, go to Network > Interfaces.
-
Select the interface that will be assigned to a VDOM and click Edit.
-
Select the VDOM that the interface will be assigned to from the Virtual Domain list.
-
Click OK.
To assign an interface to a VDOM using the CLI:
config global config system interface edit <interface> set vdom <VDOM_name> next end end
Inter-VDOM routing
VDOM links allow VDOMs to communicate internally without using additional physical interfaces.
A VDOM link cannot share the same name as a VDOM. |
VDOM link does not support traffic offload. If you want to use traffic offload, use NPU-VDOM-LINK. See Configuring inter-VDOM link acceleration with NP6 processors in the Hardware Acceleration guide for details. |
To configure a VDOM link in the GUI:
- In the Global VDOM, go to Network > Interfaces.
- Click Create New > VDOM Link.
- Configure the fields, including the Name, Virtual Domain, IP information, Administrative Access, and so on, then click OK.
By default, VDOM links are created as point-to-point (ppp) links. If required, the link type can be changed in the CLI. For example, when running OSPF in IPv6, a link-local address is required in order to communicate with OSPF neighbors. For a VDOM link to obtain a link-local address, its type must be set to |
To configure a VDOM link in the CLI:
config global config system vdom-link edit "<vdom-link-name>" set type {ppp | ethernet} next end config system interface edit "<vdom-link-name0>" set vdom "<VDOM Name>" set type vdom-link next edit "<vdom-link-name1>" set vdom "<VDOM Name>" set type vdom-link next end end
To delete a VDOM link in the GUI:
- In the Global VDOM, go to Network > Interfaces.
- Select a VDOM Link and click Delete.
To delete a VDOM link in the CLI:
config global config system vdom-link delete <VDOM-LINK-Name> end end
Allow FortiGuard services and updates to initiate from a traffic VDOM
In multi VDOM mode, users can choose from which VDOM FortiGuard services and updates are initiated from, instead of being locked to the management VDOM. This allows deployment scenarios where the management VDOM resides in a closed management network.
When the management VDOM resides in a closed network, it does not have internet access. FortiGuard services (FortiGuard updates, web filters, DNS proxy, DDNS, and so on) must be configured in a VDOM with Internet access in order to work. Therefore, in the example above, change the FortiGuard settings to initiate from the root VDOM.
To configure FortiGuard services on a traffic VDOM:
-
Set up a traffic VDOM for FortiGuard services:
config global config system fortiguard set vdom "root" end end
-
Ensure the traffic VDOM has the correct gateway to reach the internet:
config vdom edit root config router static edit 1 set gateway 172.16.200.254 set device "wan1" next end next end
-
Configure the DNS servers to ensure the FortiGuard services can resolve the server name through the traffic VDOM:
config vdom edit root config system vdom-dns set vdom-dns enable set primary 208.91.112.53 set secondary 208.91.112.52 end next end