Overview:
Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network.
There are two VDOM modes:
- Split-task VDOM mode: One VDOM is used only for management, and the other is used to manage traffic. See Split-task VDOM mode.
- Multi VDOM mode: Multiple VDOMs can be created and managed as independent units. See Multi VDOM mode.
By default, most FortiGate units support 10 VDOMs, and many FortiGate models support purchasing a license key to increase the maximum number. Global settings are configured outside of a VDOM. They effect the entire FortiGate, and include settings such as interfaces, firmware, DNS, some logging and sandboxing options, and others. Global settings should only be changed by top level administrators.
Split-task VDOM mode:
In split-task VDOM mode, the FortiGate has two VDOMs: the management VDOM (root) and the traffic VDOM (FG-traffic).
The Management VDOM is used to manage the FortiGate, and cannot be used to process traffic.
The Traffic VDOM provides separate security policies, and is used to process all network traffic.
|
The Management VDOM |
The Traffic VDOM |
The following GUI sections are available: |
- The Status dashboard
- Security Fabric topology and settings (read-only, except for HTTP Service settings)
- Interface and static route configuration
- FortiClient configuration
- Replacement messages
- Certificates
- System events
- Log and email alert settings
- Threat weight definitions
|
- The Status, Top Usage LAN/DMZ, and Security dashboards
- Security Fabric topology, settings (read-only, except for HTTP Service settings), and Fabric Connectors (SSO/Identity connectors only)
- FortiView
- Interface configuration
- Packet capture
- SD-WAN, SD-WAN Rules, and Performance SLA
- Static and policy routes
- RIP, OSPF, BGP, and Multicast
- Replacement messages
- Feature visibility
- Tags
- Certificates
- Policies and objects
- Security profiles
- VPNs
- User and device authentication
- Wifi and switch controller
- Logging
- Monitoring
|
* Please note: Split-task VDOM mode is not available on all FortiGate models. The Fortinet Security Fabric supports split-task VDOM mode.
Multi VDOM mode:
In multi VDOM mode, the FortiGate can have multiple VDOMs that function as independent units. One VDOM is used to manage global settings. The root VDOM cannot be deleted, and remains in the configuration even if it is not processing any traffic.
Multi VDOM mode isn’t available on all FortiGate models. The Fortinet Security Fabric does not support multi VDOM mode.
There are 3 types of Multi VDOM:
Independent VDOMs:
Multiple, completely separate VDOMs are created. Any VDOM can be the management VDOM, as long as it has Internet access. There are no inter-VDOM links, and each VDOM is independently managed.
Management VDOM:
A management VDOM is located between the other VDOMs and the Internet, and the other VDOMs connect to the management VDOM with inter-VDOM links. The management VDOM has complete control over Internet access, including the types of traffic that are allowed in both directions. This can improve security, as there is only one point of ingress and egress. There is no communication between the other VDOMs.
Meshed VDOMs:
VDOMs can communicate with inter-VDOM links. In full-mesh configurations, all the VDOMs are interconnected. In partial-mesh configurations, only some of the VDOMs are interconnected.
Switching VDOM modes:
Current VDOM mode |
New VDOM mode |
Rule |
No VDOM
|
Split-task VDOM
|
Allowed
|
Split-task VDOM
|
No VDOM
|
Allowed
|
No VDOM
|
Multi VDOM
|
Allowed only if the FortiGate is not a member of a Security Fabric.Configuring the root FortiGate and downstream FortiGates
|
Multi VDOM
|
No VDOM
|
Allowed
|
Split-task VDOM
|
Multi VDOM
|
Allowed only if the FortiGate is not a member of a Security Fabric.Configuring the root FortiGate and downstream FortiGates
|
Multi VDOM
|
Split-task VDOM
|
Not Allowed. User must first switch to No VDOM
|
Note: All performance values are “up to” and vary depending on system configuration. IPsec VPN performance is based on 512 byte UDP packets using AES-256+SHA1.
1. IPS performance is measured using 1 Mbyte HTTP and Enterprise Traffic Mix.
2. SSL Inspection is measured with IPS enabled and HTTP traffic, using TLS v1.2 with AES256-SHA.
3. Application Control performance is measured with 64 Kbytes HTTP traffic.
4. NGFW performance is measured with IPS and Application Control enabled, based on Enterprise Traffic Mix.
5. Threat Protection performance is measured with IPS and Application Control and Malware protection enabled, based on Enterprise Traffic Mix.
6. CAPWAP performance is based on 1444 byte UDP packets.
* Maximum loading on each PoE/+ port is 30 W (802.3at).