Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff

Created on ‎05-09-2020 01:05 AM Edited on ‎04-15-2024 09:56 PM By Community Manager

Article Id 193601

Technical Tip: How to enable multiple VDOMs

Description


This article provides steps to enable the usage of multiple VDOMs.

 

Scope

 

FortiGate.

Solution


The following commands are used to enable multiple VDOMs in different FortiOS versions.

In version 5.6 and 6.0.

 

config sys global
    set vdom-admin enable
end

 

In versions 6.2, 6.4 and 7.0 FortiOS, there are two VDOM modes.

'split-vdom': split-task VDOM mode simplifies deployments that require only one management VDOM and one traffic VDOM.
The management VDOM is used to manage the FortiGate, and cannot be used to process traffic.
The traffic VDOM provides separate security policies and is used to process all network traffic.

'multi-vdom': multiple, completely separate VDOMs are created.
Any VDOM can be the management VDOM, as long as it has internet access.
There are no 'inter-VDOM' links, and each VDOM is independently managed.

To enable 'multiple vdom's:

 

config sys global
    set vdom-mode multi-vdom   
end

 

To enable 'split-vdom':

 

config sys global
    set vdom-mode split-vdom
end

 

Additional to the above, starting from version 6.4 onwards, it is also possible to enable the following to prevent accidentally creating VDOMs in the CLI:

 

config system global
    set edit-vdom-prompt enable
end

 

This setting is disabled by default. Once enabled, when an administrator creates a new VDOM, the FortiGate displays a prompt to confirm before the VDOM is created.

 

config vdom
    edit vdomtest1
The input VDOM name doesn't exist.
Do you want to create a new VDOM?
Press 'y' to continue, or press 'n' to cancel. (y/n)y

 

 

To revert to single vdom scenario:

  • Make sure there are no interfaces assigned to any of the VDOMs (except the root VDOM)
  • Run the following command:

 

config system global

set vdom-mode no-vdom

 

Note:

FortiProxy versions below 7.0 do not support multi-VDOM configuration in any version. To enable multi-VDOM configuration in version 7.2.x and above, run the following command:

 

config system global

set vdom-mode multi-vdom

end

 

 

Additional Note: 

The above command used to enable multi-vdom on VM instances must be written manually from start to finish or copy-pasted on the CLI. This command will not be auto-filled by using the tab button and it does not show if checked using '?' after 'set'. 

 

If entering 'sset vdom-mode ?' it will be possible to see the options of the multi-vdom mode. 

 

Example for reference:

 

FGVM(global) # set vdom-mode
no-vdom Disable multiple VDOMs mode.
multi-vdom Enable multiple VDOMs mode.

 

In some cases, this option will not be available for VMs, because of the license required.

For more information regarding this behavior on VM instances, please follow the article below:

Technical Tip: Default behaviour of the FG-VMxxV and FG-VMxxS series with multi-VDOM

 

Related documents:

Virtual Domains - FortiGate cookbook

VDOM configuration - FortiGate administration guide.

25557
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.