Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jcsoto
Staff
Staff

Created on ‎12-23-2025 04:32 AM

Article Id 424237

Technical Tip: Configuring Admin and Traffic VDOM Separation on FortiGate-VM in GCP

Description

This article describes how to configure administrative and traffic VDOM role separation on FortiGate-VM instances deployed in Google Cloud Platform (GCP). It outlines the steps required to convert the root VDOM to an Admin VDOM to allow creation of a second Traffic VDOM on FortiOS 7.4.X, and documents the license-related errors that may be encountered if this requirement is not met.
Scope
  • Platform: Google Cloud Platform (GCP).
  • FortiGate-VM license types:
    • Bring Your Own License (BYOL).
    • Pay As You Go (PAYG).
  • FortiOS version: 7.4.X.
Solution

Fortinet documentation states that VDOM functionality is supported on BYOL FortiGate-VM deployments, while PAYG instances are positioned for single-VDOM operation and do not formally support VDOM usage, even though FortiOS includes the underlying capability to separate administrative and traffic roles.

 

In GCP deployments running FortiOS 7.4.X, it is possible to configure two VDOMs on both PAYG and BYOL FortiGate-VM instances when:

  • One VDOM is configured as Admin
  • One VDOM is used for Traffic

This configuration does not require additional VDOM licenses because the Admin VDOM does not process traffic. To achieve this setup, the default root VDOM must be converted to an Admin VDOM, after which a second VDOM can be created for traffic processing.

 

Step 1: Enable multi-VDOM mode:

 

config system global

    set vdom-mode multi-vdom

end

 

Hidden CLI Command Behavior:

 

On FortiGate-VM instances deployed in GCP, the command used to enable multi-VDOM mode is not shown by CLI auto-completion. However, the full command is accepted when entered explicitly.

 

Step 2: Change Root VDOM to Admin Type:

 

config vdom

    edit root

        config system settings

            set vdom-type admin

        end

 

When prompted, confirm the warning:

 

Some settings (e.g., firewall policy/object, security profile, wifi/switch controller, user, device, dashboard)

in this VDOM will be deleted.

Do you want to continue? (y/n) y

 

Note: Changing the VDOM type will remove configuration elements from the root VDOM. This should be performed on a fresh deployment or with proper backups.

 

Step 3: Create a second VDOM.

 

config vdom

    edit traffic

    next

end

 

Note:

If the root VDOM remains configured as a Traffic VDOM and an attempt is made to create an additional VDOM, the operation fails due to VDOM licensing constraints.

 

The following errors may be observed:

 

CLI:

 

Could not create VD, all VD licenses have been used.

Command fail. Return code -4

 

GUI:

 

Maximum number of entries has been reached.

Object set operator error, -4 discard the setting.


GUI Error.png

 

Converting the root VDOM to Admin releases the traffic VDOM entitlement and allows the creation of a second Traffic VDOM.
Labels:
52
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.