Virtual Domains (VDOMs)

Understanding VDOMs 

• VDOMs enables you to create multiple virtual firewalls within a single physical firewall. 

• Each VDOM has their own configurations and routing tables, and security policy. 

• One VDOM cannot community with another VDOM. 

• You can have up to 10 VDOMs per FortiGate appliance. 

• Keep in mind, global configurations are made outside the VDOM. 

• The following are the type of VDOMs: 

  • Admin VDOM: 

    • This VDOM is used for management of the FortiGate 

    • Does not passes traffic/data 

  • Traffic VDOM 

    • Processes all network traffic through the FortiGate appliance 

    • Can provide separate security policies 

Multi-VDOM use cases

• Management – This is known as the root. All management traffic originates from this VDOM and requires access to all Fortinet global services. 

• Independent – Independent VDOMs are logically separated from each other and there are no communication between them. While each VDOM has their own physical interface link to the internet. 

• Meshed  - VDOMs are unable to connect with each other, with the except of using an Inter-VDOM links, as shown below: 

VDOM Administrator Profiles 

• The super_admin account can be used to configure all VDOMs and perform back-up of VDOMs. 

• Per VDOM administrator account can be used to manage a specific VDOM, but this account does not have access to the global settings. 

• To create a new administrator, go to Global > System > Administrators (you can assign an admin to a VDOM). 

Configuring VDOMs 

• To ensure VDOMs on a FortiGate, use the following methods: 

  • On the GUI, go to System > Settings > enable Virtual Domains. 

  • On the CLI, use the following commands: 

    • config system global 

    • set vdom-mode multi-vdom 

    • end  

• After enabling Virtual Domains on FortiGate, the Admin (root) VDOM will be present. 

• You can create multiple VDOMs on the same FortiGate. 

• The root VDOM is used to manage all VDOMs on the same FortiGate. 

• To create a new VDOM, go to Global > System > VDOM. 

FortiGate Operations 

• All interfaces on the same VDOM all operates on the same broadcast domain, even when they are configured with different VLANs. 

• Interfaces can be assigned to each VDOM, go to Global > Network > Interfaces > Edit Interface > Virtual Domain > Select the VDOM. 

• Global settings: 

  • Hostname of device 

  • High Availability (HA) configurations 

  • FortiGuard configurations 

  • System time 

  • Administrative user accounts 

• Per-VDOM settings: 

  • Operating mode: Transparent / NAT 

  • NGFW mode: policy-based / policy-based 

  • Firewall policies 

  • Security profiles 

Global Security Profiles 

• Global security profiles can be created for VDOMs. 

• These security profiles are in read-only mode within a VDOM. 

• When create a global profile, the naming convention always begins with a 'g'. 

• Global security profiles supports the following: 

  • Antivirus 

  • Application control 

  • Intrusion prevention 

  • Web filtering 

Setting up Inter-VDOM links 

• Inter-VDOM links enables you to route traffic between VDOMs on the same FortiGate device. 

• To create an Inter-VDOM link, go to Global > Network > Interfaces > Create New > VDOM Link 

• Ensure to configure an IP address and network on the Inter-VDOM links between each VDOM. 

Global and VDOM Resource Limits 

• When the global resource limit is configured, it's applied to the resources that are shared by the FortiGate. 

• VDOM resources limits are applied to a specific VDOM. 

• To assign global resources: 

  • Go to, Global > System > Global Resources 

• To configure per-VDOM limits: 

  • Go to, Global > System > VDOM 

Monitoring VDOMs 

• View the Management VDOM, firewall operating mode, status, CPU, Memory and Interfaces. 

• Go to, Global  > System > VDOM