Technical Tip: Impact of changing Management VDOM
Description
This article describes the impact of changing the management of VDOM.
The management VDOM is set by default to root.
Scope
FortiGate: all versions. Not available on FortiGate 6000F, 7000E, and 7000F series.
Solution
The management VDOM in Fortinet devices refers to a designated VDOM responsible for management-related services such as FortiGuard updates and local outbound traffic, like logs to remote servers, SNMP probing, NTP requests, etc. By default, the root VDOM serves as the management VDOM.
In the case of multiple VDOM configurations in FortiGate, it is essential to configure the correct management VDOM for the management-related traffic to work.
Configuration:
The management VDOM can be manually assigned from the GUI or the CLI.
Checking the current management VDOM:
config global
show full system global | grep management-vdom
Refer to the article below for the FortiGuard license update issue due to incorrect management VDOM: Technical Tip: Purpose of Management VDOM in the case of license/contract information.
To assign the management VDOM in the GUI:
In the Global VDOM, go to System -> VDOM.
Select the VDOM desired to be assigned as the management VDOM.
Select Switch Management and then OK.
To assign the management VDOM in the CLI:
config global
config system global
set management-vdom <vdom>
end
end
- Changing the management VDOM should be done in the maintenance window.
- All the management traffic, i.e., the box traffic (FortiGuard requests, NTP, DNS requests, logs, etc.), will be sourced by the interfaces in the new mgmt VDOM.
- Verify the references for the management VDOMs and make the changes accordingly.
- Management VDOM needs to have an internet connection.
The following services also use the management VDOM. Therefore, changing the management VDOM will have effects on the following services. If any of these services are configured, and the management VDOM is changed, verify that their corresponding source-ip is correct to ensure proper communication:
- DNS lookups.
- Logging to a FortiAnalyzer or Syslog.
- FortiGuard service.
- Sending alert emails.
- Network Time Protocol traffic (NTP).
- Sending SNMP traps.
- Quarantining suspicious files and emails.
There may also be an error while changing the management vdom if ACME is using an interface that belongs to the current management vdom. To resolve this, unset the interface bind on the ACME configuration first.
Note that on FortiGate 6000F, 7000E, and 7000F series, the default management VDOM is mgmt-vdom, and it cannot be changed:
FortiGate-6000 7.4.7 incompatibilities and limitations
FortiGate 7000E 7.4.7 incompatibilities and limitations