Home

FortiGate VDOM Configuration: A Complete Guide to Virtual Domains

.

In today's complex network environments, organizations face the challenge of managing multiple security domains, tenant isolation, and segmented network traffic on a single physical appliance. Fortinet's Virtual Domain (VDOM) technology addresses these challenges by allowing a single FortiGate firewall to operate as multiple, independent virtual firewall instances. This innovative approach provides network administrators with the flexibility to create separate security domains with distinct configurations, policies, and management interfaces while utilizing shared hardware resources efficiently.

According to Fortinet's official documentation, VDOMs enable you to "partition and use your FortiGate unit as if it were multiple units." This capability is particularly valuable for Internet Service Providers (ISPs), managed security service providers (MSSPs), large enterprises with multiple business units, or any organization requiring strict security segmentation between different network zones. This comprehensive guide explores the practical implementation of VDOM technology across different FortiGate platforms and management systems.

Understanding VDOM Fundamentals and Operation Modes

What Are Virtual Domains?

VDOMs transform a single FortiGate appliance into multiple virtual firewalls, each with its own security policies, routing tables, administrators, and configuration settings. This technology allows different departments, customers, or security zones to operate independently while sharing underlying hardware resources.

The root VDOM serves as the management domain that contains system-wide settings and oversees other VDOMs. All other VDOMs operate as child domains under this root. Each VDOM can operate in either NAT mode (the default) or transparent mode, and different VDOMs on the same physical appliance can utilize different modes according to their specific requirements.

Key Benefits of VDOM Implementation

Implementing VDOM architecture offers several significant advantages:

  • Resource Optimization: Maximizes hardware utilization by running multiple logical firewalls on a single appliance
  • Administrative Segmentation: Enables separate administrators for different VDOMs with tailored access permissions
  • Policy Isolation: Maintains completely separate security policies and configurations for different network segments
  • Cost Efficiency: Reduces hardware requirements compared to deploying multiple physical firewalls
  • Simplified Management: Centralizes management of multiple security domains through a single interface

Step-by-Step VDOM Configuration Guide

Prerequisites and Initial Setup

Before implementing VDOMs, verify that your FortiGate model supports this feature. Most enterprise models support VDOM functionality, but entry-level devices may have limitations. The official documentation notes that "on VMs and FortiGate 60 series models and lower, VDOMs can only be enabled using the CLI."

Table: FortiGate VDOM Support Considerations

Platform Type VDOM GUI Support VDOM CLI Support Notes
FortiGate 60 Series & Lower Limited Full GUI limitations for initial setup
FortiGate Mid-Range Models Full Full Complete GUI and CLI support
FortiGate High-End Models Full Full Complete GUI and CLI support
Virtual Machine (VM) Instances Limited Full CLI required for enabling VDOM mode

Enabling Multi-VDOM Mode

The foundational step in VDOM implementation is enabling multi-VDOM mode on your FortiGate device. This process logs you out of the device but doesn't require a system reboot. Your existing configuration automatically becomes part of the root VDOM.

GUI Method:

  1. Navigate to System > Settings
  2. In the System Operation Settings section, enable Virtual Domains
  3. Select Multi VDOM for the VDOM mode
  4. Click OK to apply the changes

CLI Method:

config system global set vdom-mode multi-vdom end

Creating New VDOMs

Once multi-VDOM mode is enabled, you can create additional virtual domains:

GUI Method:

  1. In the Global VDOM, go to System > VDOM
  2. Click Create New to open the New Virtual Domain page
  3. Enter a descriptive name for the VDOM (e.g., "VDOM-A," "VDOM-CORPORATE")
  4. Configure the NGFW Mode (Policy-based or Profile-based) as required
  5. Select appropriate SSL/SSH inspection settings for policy-based NGFW mode
  6. Add optional comments for documentation purposes
  7. Click OK to create the VDOM

CLI Method:

config vdom edit <VDOM-NAME> next end

Advanced VDOM Configuration and Management

Assigning Interfaces to VDOMs

Interface assignment is critical for proper VDOM operation. Each VDOM requires at least one dedicated physical or logical interface. From the practical example provided in the educational resource:

  1. Navigate to Global > Network > Interfaces
  2. Edit each interface and assign it to the appropriate VDOM
  3. Configure addressing modes (DHCP or Manual) according to network requirements
  4. Set administrative access permissions (HTTPS, SSH, PING, etc.) as needed
  5. Enable DHCP server functionality for internal interfaces if required

Example Interface Configuration:

  • Port2: Assigned to VDOM-B, DHCP client mode
  • Port3: Assigned to VDOM-A, DHCP client mode
  • Port4: Assigned to VDOM-A, Static IP (192.168.91.1/24), DHCP server enabled
  • Port5: Assigned to VDOM-B, Static IP (192.168.92.1/24), DHCP server enabled

Configuring VDOM-Specific Administrators

For proper security and management segregation, create dedicated administrators for each VDOM:

  1. Go to Global > System > Administrators
  2. Click Create New to add a new administrator
  3. Set Type to Local User
  4. Enter username and password credentials
  5. Set Administrator Profile according to required access level
  6. Assign the administrator to specific VDOM(s) by selecting them in the Virtual Domain field
  7. Remove the root VDOM from administrators who shouldn't have system-wide access

Establishing Security Policies and Routing

Each VDOM requires its own security policies and routing configuration:

Routing Configuration:

  1. Switch to the target VDOM context
  2. Navigate to Network > Static Routes
  3. Create a default route (0.0.0.0/0.0.0.0) pointing to the appropriate gateway
  4. Specify the outgoing interface and gateway IP address

Security Policy Configuration:

  1. In the VDOM context, go to Policy & Objects > Firewall Policy
  2. Create policies specifying:
    • Incoming and outgoing interfaces
    • Source and destination addresses
    • Services
    • NAT settings (typically enabled for internet-facing policies)
    • Security profiles and additional features

Implementing Inter-VDOM Routing

For VDOMs that need to communicate with each other, FortiGate provides inter-VDOM routing through virtual links:

  1. Ensure both VDOMs operate in NAT mode (required for inter-VDOM links)
  2. Navigate to System > Interface
  3. Click Create New > VDOM Link
  4. Configure both ends of the link with:
    • Unique names for each end
    • Interface assignment (0 or 1)
    • VDOM assignment for each end
    • IP addressing for the link
    • Administrative access settings

Inter-VDOM links function as virtual interfaces that internally connect VDOMs without requiring external physical connections, creating efficient and secure communication channels between virtual domains.

VDOM Management with FortiManager

For organizations managing multiple FortiGate devices, FortiManager provides centralized VDOM administration:

Enabling VDOMs in FortiManager

  1. Go to Device Manager > Device & Groups
  2. Select the target device group and specific device
  3. In the System Information widget, click the Enable link in the VDOM field

Creating VDOMs through FortiManager

  1. From the device dashboard, select System > Virtual Domain
  2. Click Create New to add a VDOM
  3. Configure VDOM properties including name, type, and operational settings
  4. Additional VDOMs can be created by right-clicking existing VDOMs and selecting Add VDOM

Common VDOM Configuration Examples

Example 1: ISP Providing Services to Multiple Companies

As illustrated in the educational example, an ISP can use VDOMs to provide independent internet services to different companies on a single FortiGate:

  • VDOM-A: Services Company A with internal network 192.168.91.0/24
  • VDOM-B: Services Company B with internal network 192.168.92.0/24
  • Root VDOM: Management domain for the ISP

Each company receives completely isolated networking, security policies, and administrative access while sharing the physical infrastructure.

Example 2: Enterprise Segmentation

A corporation might implement VDOMs to separate:

  • Corporate VDOM: Standard employee network access
  • DMZ VDOM: Public-facing servers and services
  • Guest VDOM: Visitor wireless access with restricted policies
  • IoT VDOM: Isolated network for Internet of Things devices

Troubleshooting and Maintenance Considerations

Common Configuration Issues

  • Interface Assignment Problems: If unable to modify interface VDOM assignment, ensure no policies or configurations reference the interface
  • Administrative Access: Verify administrators are assigned to correct VDOMs with appropriate privileges
  • Routing Failures: Check that each VDOM has proper default and specific routes configured
  • Inter-VDOM Communication: Confirm VDOM links are properly configured with correct IP addressing

VDOM Deletion Process

When removing a VDOM, follow this careful process:

  1. Remove all policies from the VDOM
  2. Delete all VDOM-specific objects (routes, VPNs, etc.)
  3. Remove administrator accounts assigned exclusively to the VDOM
  4. Navigate to System > VDOM
  5. Right-click the target VDOM and select Delete
  6. Confirm deletion in the dialog box

Frequently Asked Questions

What is the difference between NAT mode and transparent mode for VDOMs?

VDOMs in NAT mode operate as traditional firewalls with routing capabilities, performing address translation between networks. Transparent mode VDOMs function as Layer 2 bridges without routing, useful for inline deployment without changing existing IP schemes. The choice depends on your network architecture requirements.

How many VDOMs can I create on my FortiGate?

The maximum number of VDOMs varies by FortiGate model and firmware version. Enterprise models typically support tens to hundreds of VDOMs, while entry-level devices may support fewer. Check your specific model's datasheet or use the CLI command get system vdom-resource to view VDOM capacity.

Can I assign a physical interface to multiple VDOMs?

A physical interface can only belong to a single VDOM. However, you can create VLAN subinterfaces on a physical interface and assign different VLANs to different VDOMs, effectively sharing physical connections while maintaining logical separation.

What happens to my existing configuration when I enable VDOM mode?

When you enable multi-VDOM mode, your current configuration becomes part of the root VDOM. You remain logged into the root VDOM after enabling VDOM mode, and you can then create additional VDOMs with fresh configurations.

How does VDOM performance compare to separate physical devices?

VDOMs provide excellent performance segmentation when properly configured with resource limits. Each VDOM can be allocated guaranteed bandwidth and session limits. For maximum performance isolation, higher-end FortiGate models with dedicated processing resources per VDOM are recommended.

Can I migrate configurations between VDOMs?

Yes, configuration elements can be migrated between VDOMs using backup/restore functions or configuration scripts. The FortiConverter tool can assist with complex migrations by restructuring configuration files for different VDOM contexts.

Conclusion

FortiGate VDOM technology represents a powerful approach to network segmentation and multi-tenancy on a single security platform. By understanding the fundamental concepts, configuration procedures, and management considerations outlined in this guide, network administrators can effectively implement virtual domains tailored to their organizational requirements. Whether for service provider environments, enterprise network segmentation, or complex security architectures, VDOMs provide the flexibility and isolation needed in modern network designs while optimizing hardware investments and simplifying centralized management.