Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pkumari
Staff
Staff

Created on ‎01-27-2025 01:13 AM Edited on ‎06-10-2025 07:18 AM By Moderator

Article Id 372701

Technical Tip: Impact of changing Management VDOM

Description

 

This article describes the impact of changing the management of VDOM.

The management VDOM is set by default to root.

 

Scope

 

FortiGate - all versions. Not available on FortiGate 6000F, 7000E, and 7000F series.

 

Solution

 

The management VDOM in Fortinet devices refers to a designated VDOM responsible for management-related services such as FortiGuard updates and local outbound traffic, like logs to remote servers, SNMP probing, NTP requests, etc. By default, the root VDOM serves as the management VDOM.

 

In the case of multiple VDOM configurations in FortiGate, it is essential to configure the correct management VDOM for the management-related traffic to work.

 

Configuration:

 

The management VDOM can be manually assigned from the GUI or the CLI.

Checking the current management VDOM:

 

config global
show full system global | grep management-vdom

 

Refer to the below article for the FortiGuard license update issue due to incorrect management VDOM: Technical Tip: Purpose of Management VDOM in the case of license/contract information.

 

To assign the management VDOM in the GUI:
In the Global VDOM, go to System -> VDOM.


Select the VDOM desired to be assigned as the management VDOM.

 

Select Switch Management and then OK.

 

To assign the management VDOM in the CLI:


config global
    config system global
        set management-vdom <vdom>
    end
end

 

  • Changing the management VDOM should be done in the maintenance window.
  • All the management traffic i.e., the box traffic (FortiGuard requests, NTP, DNS requests, logs, etc.), will be sourced by the interfaces in the new mgmt VDOM.
  • Verify the references for the management VDOMs and make the changes accordingly.
  • Management VDOM needs to have an internet connection.


The following services also use the management VDOM. Therefore, changing the management VDOM will have effects on the following services. If any of these services are configured, and the management VDOM is changed, verify that their corresponding source-ip is correct to ensure proper communication:

  • DNS lookups.
  • Logging to a FortiAnalyzer or Syslog.
  • FortiGuard service.
  • Sending alert emails.
  • Network Time Protocol traffic (NTP).
  • Sending SNMP traps.
  • Quarantining suspicious files and emails.

 

Note that on FortiGate 6000F, 7000E, and 7000F series, the default management VDOM is mgmt-vdom, and it cannot be changed:

FortiGate-6000 7.4.7 incompatibilities and limitations 

FortiGate 7000E 7.4.7 incompatibilities and limitations 

FortiGate 7000F 7.4.7 incompatibilities and limitations

FortiGate-7121F System Guide: Multi VDOM mode 

Labels:
1207
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.