Configuring VDOMs
Only a super admin administrator account such as the default admin account can create, disable, or delete VDOMs. That account can create additional administrators for each VDOM.
This section includes:
- Creating a VDOM
- Disabling a VDOM
- Deleting a VDOM
- Administrators in VDOMs
- Changing the management VDOM
Creating a VDOM
Once you have enabled VDOMs on your FortiGate unit, you can create additional VDOMs beyond the default root Virtual Domain.
By default, new VDOMs are set to NAT mode. If you want a Virtual Domain to be in transparent mode, you must manually change it.
You can name new VDOM as you like with the following restrictions:
- only letters, numbers, “-”, and “_” are allowed
- no more than 11 characters are allowed
- no spaces are allowed
- VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs.
When creating large numbers of VDOMs you should not enable advanced features such as proxies, web filtering, and antivirus due to limited FortiGate unit resources. Also when creating large numbers of VDOMs, you may experience reduced performance for the same reason. |
To create a VDOM - GUI:
- Log in with a super_admin account.
- Select Global > System > VDOM.
- Select Create New.
- Enter a unique name for your new VDOM.
- Enter a short and descriptive comment to identify this VDOM.
- Select OK.
Repeat Steps 3 through 6 to add additional VDOMs.
To create a VDOM - CLI:
config vdom
edit <new_vdom_name>
end
If you want to edit an existing Virtual Domain in the CLI, and mistype the name a new Virtual Domain will be created with this new misspelled name. If you notice expected configuration changes are not visible, this may be the reason. You should periodically check your VDOM list to ensure there are none of these misspelled VDOMs present. |
Disabling a VDOM
The status of a VDOM can be Enabled or Disabled.
Active status VDOMs can be configured. Active is the default status when a VDOM is created. The management VDOM must be an Active VDOM.
Disabled status VDOMs are considered “offline”. The configuration remains, but you cannot use the VDOM, and only the super_admin administrator can view it. You cannot delete a disabled VDOM without first enabling it, and removing references to it like usual—there is no Delete icon for disabled status VDOMs. You can assign interfaces to a disabled VDOM.
The following procedures show how to disable a VDOM called “test-vdom”.
To disable a VDOM - GUI:
- Go to Global > System > VDOM.
- Open the VDOM for editing.
- Ensure Enable is not selected and then select OK.
The VDOM’s Enable icon in the VDOM list is a grey X.
To disable a VDOM - CLI:
config vdom
edit test-vdom
config system settings
set status disable
end
end
To enable a VDOM - GUI:
- Go to Global > System > VDOM.
- Open the VDOM for editing.
- Ensure Enable is selected and then select OK.
The VDOM’s Enable icon in the VDOM list is a green checkmark.
To enable a VDOM - CLI:
config vdom
edit test-vdom
config system settings
set status enable
end
end
Deleting a VDOM
Deleting a VDOM removes it from the FortiGate unit configuration.
Before you can delete a VDOM, all references to it must be removed, including any per-VDOM objects. If there are any references to the VDOM remaining, you will see an error message and not be able to delete the VDOM.
A disabled VDOM cannot be deleted. You can also not delete the root VDOM or the management VDOM.
Before deleting a VDOM, a good practice is to reset any interface referencing that VDOM to its default configuration, with “root” selected as the Virtual Domain. |
The following procedures show how to delete the test-vdom
VDOM.
To delete a VDOM - GUI:
- Go to Global > System > VDOM.
- Select the check box for the VDOM and then select the Delete icon.
If the Delete icon is not active, there are still references to the VDOM that must first be removed. The Delete icon is available when all the references to this VDOM are removed. - Confirm the deletion.
To delete a VDOM - CLI:
config vdom
delete test-vdom
end
Removing references to a VDOM
When you are going to delete a VDOM, all references to that VDOM must first be removed. It can be difficult to find all the references to the VDOM. This section provides a list of common objects that must be removed before a VDOM can be deleted, and a CLI command to help list the dependencies.
Interfaces are an important part of VDOMs. If you can move all the interfaces out of a VDOM, generally you will be able to delete that VDOM.
Common objects that refer to VDOMs
When you are getting ready to delete a VDOM check for, and remove the following objects that refer to that VDOM or its components:
- Routing - both static and dynamic routes
- Firewall addresses, policies, groups, or other settings
- Security Features/Profiles
- VPN configuration
- Users or user groups
- Logging
- DHCP servers
- Network interfaces, zones, custom DNS servers
- VDOM Administrators
Administrators in VDOMs
When VDOMs are enabled, permissions change for administrators. Administrators are now divided into per-VDOM administrators, and super_admin
administrators. Only super_admin
administrator accounts can create other administrator accounts and assign them to a VDOM.
Administrator VDOM permissions
Different types of administrator accounts have different permissions within VDOMs. For example, if you are using a super_admin profile account, you can perform all tasks. However, if you are using a regular admin account, the tasks available to you depend on whether you have read only or read/write permissions. The following table shows what tasks can be performed by which administrators.
Administrator VDOM permissions
Tasks | Regular administrator account | Super_admin profile administrator account | |
Read only permission | Read/write permission | ||
View global settings | yes | yes | yes |
Configure global settings | no | no | yes |
Create or delete VDOMs | no | no | yes |
Configure multiple VDOMs | no | no | yes |
Assign interfaces to a VDOM | no | no | yes |
Revision Control Backup and Restore | no | no | yes |
Create VLANs | no | yes - for 1 VDOM | yes - for all VDOMs |
Assign an administrator to a VDOM | no | no | yes |
Create additional admin accounts | no | yes - for 1 VDOM | yes - for all VDOMs |
Create and edit protection profiles | no | yes - for 1 VDOM | yes - for all VDOMs |
The only difference in admin accounts when VDOMs are enabled is selecting which VDOM the admin account belongs to. Otherwise, by default the administration accounts are the same as when VDOMs are disabled and closely resemble the super_admin
account in their privileges.
Creating administrators for VDOMs
Using the admin administrator account, you can create additional administrator accounts and assign them to VDOMs.
The newly-created administrator can access the FortiGate unit only through network interfaces that belong to their assigned VDOM or through the console interface. The network interface must be configured to allow management access, such as HTTPS and SSH. Without these in place, the new administrator will not be able to access the FortiGate unit and will have to contact the super_admin administrator for access. |
The following procedure creates a new Local administrator account called admin_sales
with a password of fortinet
in the sales
VDOM using the admin_prof
default profile.
To create an administrator for a VDOM - GUI:
- Log in with a super_admin account.
- Go to System > Administrators.
- Select Create New.
- Select Regular for Type, as you are creating a Local administrator account.
- Enter the necessary information about the administrator: email, password, etc.
- If this admin will be accessing the VDOM from a particular IP address or subnet, enable Restrict this Admin Login from Trusted Hosts Only and enter the IP in Trusted Host #1.
- Select
prof_admin
for the Admin Profile. - Select
sales
from the list of Virtual Domains. - Select OK.
To create administrators for VDOMs - CLI:
config global
config system admin
edit <new_admin_name>
set vdom <vdom_for_this_account>
set password <pwd>
set accprofile <an_admin_profile>
...
end
Virtual Domain administrator dashboard display
When administrators logs into their virtual domain, they see a different dashboard than the global administrator will see. The VDOM dashboard displays information only relevant to that VDOM — no global or other VDOM information is displayed.
VDOM dashboard information
Information | per-VDOM | Global |
---|---|---|
System Information | read-only | yes |
License Information | no | yes |
CLI console | yes | yes |
Unit Operation | read-only | yes |
Alert Message Console | no | yes |
Top Sessions | limited to VDOM sessions | yes |
Traffic | limited to VDOM interfaces | yes |
Statistics | yes | yes |
Changing the management VDOM
The management virtual domain is the virtual domain where all the management traffic for the FortiGate unit originates. This management traffic needs access to remote servers, such as FortiGuard services and NTP, to perform its duties. It needs access to the Internet to send and receive this traffic.
Management traffic includes, but is not limited to
- DNS lookups
- logging to FortiAnalyzer or syslog
- FortiGuard service
- sending alert emails
- Network time protocol traffic (NTP)
- Sending SNMP traps
- Quarantining suspicious files and email.
By default the management VDOM is the root domain. When other VDOMs are configured on your FortiGate unit, management traffic can be moved to one of these other VDOMs.
Reasons to move the management VDOM include selecting a non-root VDOM to be your administration VDOM, or the root VDOM not having an interface with a connection to the Internet.
You cannot change the management VDOM if any administrators are using RADIUS authentication. |
The following procedure will change the management VDOM from the default root
to a VDOM named mgmt_vdom
. It is assumed that mgmt_vdom
has already been created and has an interface that can access the Internet.
To change the management VDOM - GUI:
- Select Global > System > VDOM.
- Select the checkbox next to the required VDOM.
- Select Switch Management.
The current management VDOM is shown in square brackets, “[root]” for example.
To change the management VDOM - CLI:
config global
config system global
set management-vdom mgmt_vdom
end
Management traffic will now originate from mgmt_vdom
.