FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 33 - Virtual Domains > Virtual Domains Overview > Configuring Virtual Domains

Configuring Virtual Domains

Only a super_admin administrator account such as the default “admin” account can create, disable, or delete VDOMs. That account can create additional administrators for each VDOM.

This section includes:

Creating a Virtual Domain

Once you have enabled Virtual Domains on your FortiGate unit, you can create additional Virtual Domains beyond the default root Virtual Domain.

By default new Virtual Domains are set to NAT/Route operation mode. If you want a Virtual Domain to be in Transparent operation mode, you must manually change it.

You can name new Virtual Domains as you like with the following restrictions:

  • only letters, numbers, “-”, and “_” are allowed
  • no more than 11 characters are allowed
  • no spaces are allowed
  • VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.
note icon When creating large numbers of VDOMs you should not enable advanced features such as proxies, web filtering, and antivirus due to limited FortiGate unit resources. Also when creating large numbers of VDOMs, you may experience reduced performance for the same reason.
To create a VDOM - web-based manager:
  1. Log in with a super_admin account.
  2. Select Global > System > VDOM.
  3. Select Create New.
  4. Enter a unique name for your new VDOM.
  5. Enter a short and descriptive comment to identify this VDOM.
  6. Select OK.

Repeat Steps 3 through 6 to add additional VDOMs.

To create a VDOM - CLI:

config vdom

edit <new_vdom_name>

end

note icon If you want to edit an existing Virtual Domain in the CLI, and mistype the name a new Virtual Domain will be created with this new misspelled name. If you notice expected configuration changes are not visible, this may be the reason. You should periodically check your VDOM list to ensure there are none of these misspelled VDOMs present.

Disabling a Virtual Domain

The status of a VDOM can be Enabled or Disabled.

Active status VDOMs can be configured. Active is the default status when a VDOM is created. The management VDOM must be an Active VDOM.

Disabled status VDOMs are considered “offline”. The configuration remains, but you cannot use the VDOM, and only the super_admin administrator can view it. You cannot delete a disabled VDOM without first enabling it, and removing references to it like usual—there is no Delete icon for disabled status VDOMs. You can assign interfaces to a disabled VDOM.

The following procedures show how to disable a VDOM called “test-vdom”.

To disable a VDOM - web-based manager:
  1. Go to Global > System > VDOM.
  2. Open the VDOM for editing.
  3. Ensure Enable is not selected and then select OK.
    The VDOM’s Enable icon in the VDOM list is a grey X.
To disable a VDOM - CLI:

config vdom

edit test-vdom

config system settings

set status disable

end

end

To enable a VDOM - web-based manager:
  1. Go to Global > System > VDOM.
  2. Open the VDOM for editing.
  3. Ensure Enable is selected and then select OK.
    The VDOM’s Enable icon in the VDOM list is a green checkmark.
To enable a VDOM - CLI:

config vdom

edit test-vdom

config system settings

set status enable

end

end

Deleting a VDOM

Deleting a VDOM removes it from the FortiGate unit configuration.

Before you can delete a VDOM, all references to it must be removed, including any per-VDOM objects. If there are any references to the VDOM remaining, you will see an error message and not be able to delete the VDOM.

A disabled VDOM cannot be deleted. You can also not delete the root VDOM or the management VDOM.

note icon Before deleting a VDOM, a good practice is to reset any interface referencing that VDOM to its default configuration, with “root” selected as the Virtual Domain.

The following procedures show how to delete the test-vdom VDOM.

To delete a VDOM - web-based manager:
  1. Go to Global > System > VDOM.
  2. Select the check box for the VDOM and then select the Delete icon.

    If the Delete icon is not active, there are still references to the VDOM that must first be removed. The Delete icon is available when all the references to this VDOM are removed.

  3. Confirm the deletion.
To delete a VDOM - CLI:

config vdom

delete test-vdom

end

Removing references to a VDOM

When you are going to delete a VDOM, all references to that VDOM must first be removed. It can be difficult to find all the references to the VDOM. This section provides a list of common objects that must be removed before a VDOM can be deleted, and a CLI command to help list the dependencies.

Interfaces are an important part of VDOMs. If you can move all the interfaces out of a VDOM, generally you will be able to delete that VDOM.

Common objects that refer to VDOMs

When you are getting ready to delete a VDOM check for, and remove the following objects that refer to that VDOM or its components:

  • Routing - both static and dynamic routes
  • Firewall addresses, policies, groups, or other settings
  • Security Features/Profiles
  • VPN configuration
  • Users or user groups
  • Logging
  • DHCP servers
  • Network interfaces, zones, custom DNS servers
  • VDOM Administrators

Administrators in Virtual Domains

When Virtual Domains are enabled, permissions change for administrators. Administrators are now divided into per-VDOM administrators, and super_admin administrators. Only super_admin administrator accounts can create other administrator accounts and assign them to a VDOM.

Administrator VDOM permissions

Different types of administrator accounts have different permissions within VDOMs. For example, if you are using a super_admin profile account, you can perform all tasks. However, if you are using a regular admin account, the tasks available to you depend on whether you have read only or read/write permissions. The following table shows what tasks can be performed by which administrators.

Administrator VDOM permissions
Tasks Regular administrator account Super_admin profile administrator account
Read only permission Read/write permission
View global settings yes yes yes
Configure global settings no no yes
Create or delete VDOMs no no yes
Configure multiple VDOMs no no yes
Assign interfaces to a VDOM no no yes
Revision Control Backup and Restore no no yes
Create VLANs no yes - for 1 VDOM yes - for all VDOMs
Assign an administrator to a VDOM no no yes
Create additional admin accounts no yes - for 1 VDOM yes - for all VDOMs
Create and edit protection profiles no yes - for 1 VDOM yes - for all VDOMs

The only difference in admin accounts when VDOMs are enabled is selecting which VDOM the admin account belongs to. Otherwise, by default the administration accounts are the same as when VDOMs are disabled and closely resemble the super_admin account in their privileges.

Creating administrators for Virtual Domains

Using the admin administrator account, you can create additional administrator accounts and assign them to VDOMs.

note icon The newly-created administrator can access the FortiGate unit only through network interfaces that belong to their assigned VDOM or through the console interface. The network interface must be configured to allow management access, such as HTTPS and SSH. Without these in place, the new administrator will not be able to access the FortiGate unit and will have to contact the super_admin administrator for access.

The following procedure creates a new Local administrator account called admin_sales with a password of fortinet in the sales VDOM using the admin_prof default profile.

To create an administrator for a VDOM - web-based manager:
  1. Log in with a super_admin account.
  2. Go to System > Administrators.
  3. Select Create New.
  4. Select Regular for Type, as you are creating a Local administrator account.
  5. Enter the necessary information about the administrator: email, password, etc.
  6. If this admin will be accessing the VDOM from a particular IP address or subnet, enable Restrict this Admin Login from Trusted Hosts Only and enter the IP in Trusted Host #1.
  7. Select prof_admin for the Admin Profile.
  8. Select sales from the list of Virtual Domains.
  9. Select OK.
To create administrators for VDOMs - CLI:

config global

config system admin

edit <new_admin_name>

set vdom <vdom_for_this_account>

set password <pwd>

set accprofile <an_admin_profile>

...

end

Virtual Domain administrator dashboard display

When administrators logs into their virtual domain, they see a different dashboard than the global administrator will see. The VDOM dashboard displays information only relevant to that VDOM — no global or other VDOM information is displayed.

VDOM dashboard information
Information per-VDOM Global
System Information read-only yes
License Information no yes
CLI console yes yes
Unit Operation read-only yes
Alert Message Console no yes
Top Sessions limited to VDOM sessions yes
Traffic limited to VDOM interfaces yes
Statistics yes yes