|
On FortiOS versions from 6.2.0 to 7.0.X, a FortiGate administrator could configure the firewall to act in split-task VDOM mode.
More information regarding the particular feature can be found on the below KB article:
Technical Tip: Configuring split-task VDOM mode With Fortinet Security Fabric
From FortiOS v7.2.0+ GA releases the split task VDOM feature was removed and a new VDOM type named Admin was introduced. Important details regarding the new feature are:
- There can be two types of VDOMs:
- Admin type which can be only used for management access.
- Traffic type which is used for passing traffic through the firewall.
-
Only one administrative VDOM can exist at a time.
-
Upon upgrade to v7.2.0+ releases, if a FortiGate was configured in split-task VDOM mode, it will be automatically converted to multi-VDOM mode.
-
The FortiGate-traffic VDOM will now become a Traffic VDOM.
-
The root VDOM will now become an Admin-type VDOM.
To configure the VDOM feature in CLI, enabling multi-VDOM mode is needed.
The following commands are used to enable multi-VDOM mode.
config system global
set vdom-mode multi-vdom
end
You will be logged out for the operation to take effect.
Do you want to continue? (y/n)
Then, on the individual VDOM:
config vdom
edit <Name_Of_The_VDOM>
config system settings
set vdom-type {traffic | admin}
end
In case there is an issue using all of the VDOMs as applied in the license information below, follow the steps.
get system status
Max number of virtual domains: 7 <-----
Virtual domains status: 6 in NAT mode, 0 in TP mode
The following debug outputs can be used to check the error displayed :
diagnose debug reset
diagnose debug console timestamp ena
diagnose debug cli 8
diagnose debug application httpsd -1
diagnose debug enable
When it ends, use the following commands to stop it:
diagnose debug disable
config global
config system vdom
edit "Test"
set short-name "Test"
root vdom type must be admin to create new vdom. <-----
end
[httpsd 9289 - 1737536317 info] cmdb_save_with_children[280] -- appended main node (nret=-4, is_new=1)
[httpsd 9289 - 1737536317 error] cmdb_save_with_children[285] -- saving failed for main node: 'vdom' (err=-4)
[httpsd 9289 - 1737536317 error] cmdb_commit_from_json[2186] -- error saving request object to CLI (-4)
[httpsd 9289 - 1737536317 error] _api_cmdb_v2_config[1456] -- error editing object (nret=-4)
[httpsd 9289 - 1737536317 warning] api_return_http_result[1304] -- API error -4 raised
The solution to this issue is that the 'root' vdom should be 'admin-VDOM' to add another 'traffic-VDOM'.
There is a special case where only one admin VDOM and one traffic VDOM can be configured.
FortiGate VMs with one VDOM license (S-series, V-series, FortiFlex) have a maximum number or two VDOMs.
For example:
FGVMTAC (global) # diagnose debug vm-print-license
SerialNumber: FGVMSLTMXXXXXXXXX
CreateDate: Fri Oct 10 20:17:45 2025
License expires: Fri Sep 25 16:00:00 2026
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Signature: yes
Model: SL (18) <-----
CPU: 2 (subscription:2)
MEM: 2147483647
VDOM license: <-----
permanent: 2 <-----
subscription: 0
FGVMTAC # config vdom
FGVMTAC (vdom) # edit TEST
Could not create VD, all VD licenses have been used. <-----
Command fail. Return code -4
2025-11-13 18:03:01 0: config global
2025-11-13 18:03:01 0: config system vdom
2025-11-13 18:03:01 0: edit "Prueba"
2025-11-13 18:03:01 0: set short-name "Prueba"
2025-11-13 18:03:01 root vdom type must be admin to create new vdom. <-----
Related document:
FortiGate VM VDOM licenses - FortiGate 7.2.4 documentation
|
