Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Security Rating, Interface Classification: What should be VDOM Links roles?

I have a 100F with 3 VDOM's. Each of it provides internet access to some separated internal subnets.

For management reasons, I do have VDOM Links configured with mostly SNMP, ssh and RDP traffic. 


To satisfy one of the Security Rating questions (Interface Classification), I should assign a role to the VDOM Links. I can't do that in the interface configuration, like I do it for "normal" interfaces. 

For normal interfaces, I would see the differences between the interface roles. Not for VDOM Links..


For VDOM Links, I only could change the role in the Security Control via the Recommendations.



  • What is the best VDOM link role? LAN role or WAN role? I would guess LAN, but I am quite unsure.
  • What is the difference between LAN role and WAN role in case of the VDOM Link? Same as for any interface?
  • What is the best practice for VPN links? WAN role (if connecting to other businesses) or LAN role (if connecting sites of the same business)?
  • How "safe" is changing the interface role via the "Recommendations"? I have several interfaces with "Undefined" role (this is probably not good practice, I know.. that's why I want to better this.. )







Hi Dan

Role do not have any effect on the FortiGate. Setting the role means some GUI option is being hidden, and it simplifies things from GUI itself. I don't really set the role and I think it is safe to leave at LAN (default) or undefined.


You can refer to for more information regarding role.

Top Kudoed Authors