Description
This article provides steps to enable the usage of multiple VDOMs.
Scope
FortiGate, FortiProxy v7.2+.
Solution
The following commands are used to enable multiple VDOMs in different FortiOS versions.
In v5.6 and v6.0.
config sys global
set vdom-admin enable
end
In versions 6.2, 6.4, and 7.0 FortiOS, there are two VDOM modes.
'split-vdom': split-task VDOM mode simplifies deployments that require only one management VDOM and one traffic VDOM.
The management VDOM is used to manage the FortiGate, and cannot be used to process traffic.
The traffic VDOM provides separate security policies and is used to process all network traffic.
'multi-vdom': multiple, completely separate VDOMs are created.
Any VDOM can be the management VDOM, as long as it has internet access.
There are no 'inter-VDOM' links, and each VDOM is independently managed.
To enable 'multiple vdom's:
config sys global
set vdom-mode multi-vdom
end
Enabling VDOM mode from GUI v7.4.x higher :
Note: Make sure to take a backup before any changes.
Select Ok from the screen in the screenshot above to apply changes. To verify, log in again.
To enable 'split-vdom':
config sys global
set vdom-mode split-vdom
end
In addition to the above, starting from version 6.4 onwards, it is also possible to enable the following to prevent accidentally creating VDOMs in the CLI:
config system global
set edit-vdom-prompt enable
end
This setting is disabled by default. Once enabled, when an administrator creates a new VDOM, the FortiGate displays a prompt to confirm before the VDOM is created.
config vdom
edit vdomtest1
The input VDOM name doesn't exist.
Do you want to create a new VDOM?
Press 'y' to continue, or press 'n' to cancel. (y/n)y
To revert to single vdom scenario:
config system global
set vdom-mode no-vdom
end
To revert the vdom mode from GUI refer below screenshots:
Under the System -> Settings option, scroll down until System Operations Settings and disable the Virtual Domains options which would switch back to normal mode. The changes will cause the current session to expire: log in again.
Note:
FortiProxy versions below 7.0 do not support multi-VDOM configuration in any version. To enable multi-VDOM configuration in version 7.2.x and above, run the following command:
config system global
set vdom-mode multi-vdom
end
Additional notes:
The above command is used to enable multi-vdom on VM instances must be written manually from start to finish or copied and pasted into the CLI.
This command will not be auto-filled by using the tab button and it does not show if checked using '?' after 'set'.
This command also does not show if 'show full' is used.
When entering 'set vdom-mode ?', it will be possible to see the options of the multi-vdom mode.
Example for reference:
set vdom-mode ?
no-vdom Disable multiple VDOMs mode.
multi-vdom Enable multiple VDOMs mode.
In some cases, this option will not be available for VMs, because of the license required.
For more information regarding this behavior in VM instances, follow the steps in the article below:
Technical Tip: Default behaviour of the FG-VMxxV and FG-VMxxS series with multi-VDOM
Related documents:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.