FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

Using a VDOM in NAT/Route mode

Once you have enabled virtual domains and created one or more VDOMs, you need to configure them. Configuring VDOMs on your FortiGate unit includes tasks such as the ones listed here; while you may not require all for your network topology, it is recommended that you perform them in the order given:

Changing the management virtual domain

The management virtual domain is the virtual domain where all the management traffic for the FortiGate unit originates. This management traffic needs access to remote servers, such as FortiGuard services and NTP, to perform its duties. It needs access to the Internet to send and receive this traffic.

Management traffic includes, but is not limited to

  • DNS lookups
  • logging to FortiAnalyzer or syslog
  • FortiGuard service
  • sending alert emails
  • Network time protocol traffic (NTP)
  • Sending SNMP traps
  • Quarantining suspicious files and email.

By default the management VDOM is the root domain. When other VDOMs are configured on your FortiGate unit, management traffic can be moved to one of these other VDOMs.

Reasons to move the management VDOM include selecting a non-root VDOM to be your administration VDOM, or the root VDOM not having an interface with a connection to the Internet.

note icon You cannot change the management VDOM if any administrators are using RADIUS authentication.

The following procedure will change the management VDOM from the default root to a VDOM named mgmt_vdom. It is assumed that mgmt_vdom has already been created and has an interface that can access the Internet.

To change the management VDOM - web-based manager:
  1. Select Global > System > VDOM.
  2. Select the checkbox next to the required VDOM.
  3. Select Switch Management.
    The current management VDOM is shown in square brackets, “[root]” for example.
To change the management VDOM - CLI:

config global

config system global

set management-vdom mgmt_vdom



Management traffic will now originate from mgmt_vdom.

Configuring interfaces

A VDOM must contain at least two interfaces to be useful. These can be physical interfaces or VLAN interfaces. By default, all physical interfaces are in the root VDOM. When you create a new VLAN, it is in the root VDOM by default.

When there are VDOMs on the FortiGate unit in both NAT and Transparent operation modes, some interface fields will be displayed as “-” on Network > Interfaces. Only someone with a super_admin account can view all the VDOMs.

note icon When moving an interface to a different VDOM, firewall IP pools and virtual IPs for this interface are deleted. You should manually delete any routes that refer to this interface. Once the interface has been moved to the new VDOM, you can add these services to the interface again.


note icon When configuring VDOMs on FortiGate units with accelerated interfaces you must assign both interfaces in the pair to the same VDOM for those interfaces to retain their acceleration. Otherwise they will become normal interfaces.

This section includes the following topics:

Adding a VLAN to a NAT/Route VDOM

The following example shows one way that multiple companies can maintain their security when they are using one FortiGate unit with VLANs that share interfaces on the unit.

This procedure will add a VLAN interface called client1-v100 with a VLAN ID of 100 to an existing VDOM called client1 using the physical interface called port2.

note icon The physical interface does not need to belong to the VDOM that the VLAN belongs to.
To add a VLAN subinterface to a VDOM - web-based manager:
  1. Go to Global > Network > Interfaces.
  2. Select Create New.
  3. Enter the following information and select OK:
Name client1-v100
Interface port2
Virtual Domain Client1
Addressing mode Manual
Administrative Access HTTPS, SSH

You will see an expand arrow added to the port2 interface. When the arrow is expanded, the interface shows the client1-v100 VLAN subinterface.

To add a VLAN subinterface to a VDOM - CLI:

config global

config system interface

edit client1-v100

set type vlan

set vlanid 100

set vdom Client1

set interface port2

set ip

set allowaccess https ssh


Moving an interface to a VDOM

Interfaces belong to the root VDOM by default. Moving an interface is the same procedure no matter if its moving from the root VDOM or a any other VDOM.

If you have an accelerated pair of physical interfaces both interfaces must be in the same VDOM or you will lose their acceleration.

The following procedure will move the port3 interface to the Client2 VDOM. This is a common action when configuring a VDOM. It is assumed that the Client2 VDOM has already been created. It is also assumed that your FortiGate unit has a port3 interface. If you are using a different model, your physical interfaces may not be named port2, external or port3.

To move an existing interface to a different VDOM - web-based manager:
  1. Go to Global > Network > Interfaces.
  2. Select Edit for the port3 interface.
  3. Select Client2 as the new Virtual Domain.
  4. Select OK.
To move an existing interface to a different VDOM - CLI:

config global

config system interface

edit port3

set vdom Client2


Deleting an interface

Before you can delete a virtual interface, or move an interface from one VDOM to another, all references to that interface must be removed. For a list of objects that can refer to an interface see Virtual Domains Overview.

The easiest way to be sure an interface can be deleted is when the Delete icon is no longer greyed out. If it remains greyed out when an interface is selected, that interface still has objects referring to it, or it is a physical interface that cannot be deleted.

To delete a virtual interface - web-based manager:
  1. Ensure all objects referring to this interface have been removed.
  2. Select Global > Network > Interfaces.
  3. Select the interface to delete.
  4. Select the delete icon.

Adding a zone to a VDOM

Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can configure policies for connections to and from a zone, but not between interfaces in a zone.

Zones are VDOM-specific. A zone cannot be moved to a different VDOM. Any interfaces in a zone cannot be used in another zone. To move a zone to a new VDOM requires deleting the current zone and re-creating a zone in the new VDOM.

The following procedure will create a zone called accounting in the client2 VDOM. It will not allow intra-zone traffic, and both port3 and port2 interfaces belong to this zone. This is a method of grouping and isolating traffic over particular interfaces—it is useful for added security and control within a larger network.

To add a zone to a VDOM - web-based manager:
  1. In Virtual Domains, select the client2 VDOM.
  2. Go to Network > Interfaces.
  3. Select Create New > Zone.
  4. Enter the following information and select OK:
Zone Name accounting
Block intra-zone traffic Select
Interface Members port3, port2
To add a zone to a VDOM - CLI:

config vdom

edit client2

config system zone

edit accounting

set interface port3 port2

set intrazone deny



Configuring VDOM routing

Routing is VDOM-specific. Each VDOM should have a default static route configured as a minimum. Within a VDOM, routing is the same as routing on your FortiGate unit without VDOMs enabled.

When configuring dynamic routing on a VDOM, other VDOMs on the FortiGate unit can be neighbors. The following topics give a brief introduction to the routing protocols, and show specific examples of how to configure dynamic routing for VDOMs. Figures are included to show the FortiGate unit configuration after the successful completion of the routing example.

Default static route for a VDOM

The routing you define applies only to network traffic entering non-ssl interfaces belonging to this VDOM. Set the administrative distance high enough, typically 20, so that automatically configured routes will be preferred to the default.

In the following procedure, it is assumed that a VDOM called “Client2” exists. The procedure will create a default static route for this VDOM. The route has a destination IP of, on the port3 interface. It has a gateway of, and an administrative distance of 20.

The values used in this procedure are very standard, and this procedure should be part of configuring all VDOMs.

To add a default static route for a VDOM - web-based manager:
  1. In Virtual Domains, select the client2 VDOM.
  2. Go to Network > Static Routes.
  3. Select Create New.
  4. Enter the following information and select OK:
Destination IP/Mask
Device port2
Distance 20
To add a default static route for a VDOM - CLI:

config vdom

edit client2

config router static

edit 4

set device port2

set dst

set gateway

set distance 20



Dynamic Routing in VDOMs

Dynamic routing is VDOM-specific, like all other routing. Dynamic routing configuration is the same with VDOMs as with your FortiGate unit without VDOMs enabled, once you are at the routing menu. If you have multiple VDOMs configured, the dynamic routing configuration between them can become quite complex.

VDOMs provide some interesting changes to dynamic routing. Each VDOM can be a neighbor to the other VDOMs. This is useful in simulating a dynamic routing area or AS or network using only your FortiGate unit.

You can separate different types of routing to different VDOMs if required. This allows for easier troubleshooting. This is very useful if your FortiGate unit is on the border of a number of different routing domains.

For more information on dynamic routing in FortiOS, see the Advanced Routing handbook.

Inter-VDOM links must have IP addresses assigned to them if they are part of a dynamic routing configuration. Inter-VDOM links may or may not have IP addresses assigned to them. Without IP addresses, you need to be careful how you configure routing. While the default static route can be assigned an address of and rely instead on the interface, dynamic routing almost always requires an IP address.


The RIP dynamic routing protocol uses hop count to determine the best route, with a hop count of 1 being directly attached to the interface and a hop count of 16 being unreachable. For example if two VDOMs on the same FortiGate unit are RIP neighbors, they have a hop count of 1.


OSPF communicates the status of its network links to adjacent neighbor routers instead of the complete routing table. When compared to RIP, OSPF is more suitable for large networks, it is not limited by hop count, and is more complex to configure. For smaller OSPF configurations its easiest to just use the backbone area, instead of multiple areas.


BGP is an Internet gateway protocol (IGP) used to connect autonomous systems (ASes) and is used by Internet service providers (ISPs). BGP stores the full path, or path vector, to a destination and its attributes which aid in proper routing.

Configuring security policies

Security policies are VDOM-specific. This means that all firewall settings for a VDOM, such as firewall addresses and security policies, are configured within the VDOM.

In VDOMs, all firewall related objects are configured per-VDOM including addresses, service groups, security profiles, schedules, traffic shaping, and so on. If you want firewall addresses, you will have to create them on each VDOM separately. If you have many addresses, and VDOMs this can be tedious and time consuming. Consider using a FortiManager unit to manage your VDOM configuration — it can get firewall objects from a configured VDOM or FortiGate unit, and push those objects to many other VDOMs or FortiGate units. See the FortiManager Administration Guide.

note icon You can customize the Policy display by including some or all columns, and customize the column order onscreen. Due to this feature, security policy screenshots may not appear the same as on your screen.

Configuring a security policy for a VDOM

Your security policies can involve only the interfaces, zones, and firewall addresses that are part of the current VDOM, and they are only visible when you are viewing the current VDOM. The security policies of this VDOM filter the network traffic on the interfaces and VLAN subinterfaces in this VDOM.

A firewall service group can be configured to group multiple services into one service group. When a descriptive name is used, service groups make it easier for an administrator to quickly determine what services are allowed by a security policy.

In the following procedure, it is assumed that a VDOM called Client2 exists. The procedure will configure an outgoing security policy. The security policy will allow all HTTPS, SSH, and DNS traffic for the SalesLocal address group on VLAN_200 going to all addresses on port3. This traffic will be scanned and logged.

To configure a security policy for a VDOM - web-based manager:
  1. In Virtual Domains, select the client2 VDOM.
  2. Go to Policy & Objects > IPv4 Policy.
  3. Select Create New.
  4. Enter the following information and select OK:
Name Client2-outgoing
Incoming Interface VLAN_200
Outgoing Interface port3
Source Address SalesLocal
Destination Address any
Schedule always
Log Allowed Traffic enable
To configure a security policy for a VDOM - CLI:

config vdom

edit Client2

config firewall policy

edit 12

set srcintf VLAN_200

set srcaddr SalesLocal

set dstintf port3(dmz)

set dstaddr any

set schedule always

set service HTTPS SSH

set action accept

set status enable

set logtraffic enable




Changing the inspection mode

If you wish to change the inspection mode for a VDOM, go to System > VDOM and edit the VDOM you want to configure. Set Inspection Mode to either Proxy or Flow-based.

VDOMs on the same FortiGate can use different inspection modes.

Configuring security profiles

In NAT/Route VDOMs, security profiles are exactly like regular FortiGate unit operation with one exception. In VDOMs, there are no default security profiles.

If you want security profiles in VDOMs, you must create them yourself. If you have many security profiles to create in each VDOM, you should consider using a FortiManager unit. It can get existing profiles from a VDOM or FortiGate unit, and push those profiles down to multiple other VDOMs or FortiGate units. See the FortiManager Administration Guide.

When VDOMs are enabled, you only need one FortiGuard license for the physical unit, and download FortiGuard updates once for the physical unit. This can result in a large time and money savings over multiple physical units if you have many VDOMs.

Configuring VPNs for a VDOM

Virtual Private Networking (VPN) settings are VDOM-specific, and must be configured within each VDOM. Configurations for IPsec Tunnel, IPsec Interface, PPTP and SSL are VDOM-specific.