Technical Tip: Configuring new administrative VDOM types

On FortiOS versions from v6.2.0 to v7.0.x, a FortiGate administrator could configure the firewall to act in split-task VDOM mode.

More information regarding the particular feature can be found in the below KB article:

Technical Tip: Configuring split-task VDOM mode With Fortinet Security Fabric

From FortiOS v7.2.0+ GA releases, the split task VDOM feature was removed, and a new VDOM type named Admin was introduced. Important details regarding the new feature are:

1. There can be two types of VDOMs:
   1. Admin type, which can be used only for management access.
   2. Traffic type that is used for passing traffic through the firewall.

A VDOM of type admin is intended solely for management access. This means that no traffic-related configuration and log sections:

Log category displays in Admin type VDOM.

Log category displays in Traffic type VDOM.

2. Only one administrative VDOM can exist at a time.

    

3. Upon upgrade to v7.2.0+ releases, if a FortiGate was configured in split-task VDOM mode, it will be automatically converted to multi-VDOM mode.

   1. The FortiGate-traffic VDOM will now become a Traffic VDOM.

   2. The root VDOM will now become an Admin-type VDOM.

       

To configure the VDOM feature in CLI, enabling multi-VDOM mode is needed.

The following commands are used to enable multi-VDOM mode.

config system global

    set vdom-mode multi-vdom

end

You will be logged out for the operation to take effect.
Do you want to continue? (y/n)

Then, on the individual VDOM:

config vdom

    edit <Name_Of_The_VDOM>

        config system settings

            set vdom-type {traffic | admin}

end

In case there is an issue using all of the VDOMs as applied in the license information below, follow the steps.

get system status
Max number of virtual domains: 7 <-----
Virtual domains status: 6 in NAT mode, 0 in TP mode

The following debug outputs can be used to check the error displayed :

diagnose debug reset
diagnose debug console timestamp ena
diagnose debug cli 8
diagnose debug application httpsd -1
diagnose debug enable

When it ends, use the following commands to stop it:

diagnose debug disable

config global
    config system vdom
        edit "Test"
            set short-name "Test" --> Root VDOM type must be admin to create a new VDOM.
end
[httpsd 9289 - 1737536317 info] cmdb_save_with_children[280] -- appended main node (nret=-4, is_new=1)
[httpsd 9289 - 1737536317 error] cmdb_save_with_children[285] -- saving failed for main node: 'vdom' (err=-4)

[httpsd 9289 - 1737536317 error] cmdb_commit_from_json[2186] -- error saving request object to CLI (-4)
[httpsd 9289 - 1737536317 error] _api_cmdb_v2_config[1456] -- error editing object (nret=-4)
[httpsd 9289 - 1737536317 warning] api_return_http_result[1304] -- API error -4 raised

The solution to this issue is that the 'root' vdom should be 'admin-VDOM' to add another 'traffic-VDOM'.

There is a special case where only one admin VDOM and one traffic VDOM can be configured.
FortiGate VMs with one VDOM license (S-series, V-series, FortiFlex) have a maximum number of two VDOMs.

For example:

FGVMTAC (global) # diagnose debug vm-print-license
SerialNumber: FGVMSLTMXXXXXXXXX
CreateDate: Fri Oct 10 20:17:45 2025
License expires: Fri Sep 25 16:00:00 2026
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Signature: yes
Model: SL (18) <-----
CPU: 2 (subscription:2)
MEM: 2147483647
VDOM license: <-----
permanent: 2 <-----
subscription: 0

FGVMTAC # config vdom
FGVMTAC (vdom) # edit TEST
Could not create VD, all VD licenses have been used. <-----
Command fail. Return code -4

2025-11-13 18:03:01 0: config global
2025-11-13 18:03:01 0: config system vdom
2025-11-13 18:03:01 0: edit "Prueba"
2025-11-13 18:03:01 0: set short-name "Prueba"
2025-11-13 18:03:01 root vdom type must be admin to create new vdom. <-----

Related document:
FortiGate VM VDOM licenses