VDOM configuration


In this recipe, you use virtual domains (VDOMs) to provide Internet access for two different companies (called Company A and Company B) using a single FortiGate.

1. Enabling VDOMs and creating two VDOMs

To enable VDOMs, go to System > Settings. Under System Operation Settings, enable Virtual Domains.

Select OK to confirm the VDOM mode change. When the change is applied, you are logged out of the FortiGate.

Log back in. To edit global settings, select Global from the dropdown menu located in the top-left corner.

To create a new VDOM, go to System > VDOM and select Create New. Enter a name (VDOM-A).

Create a second VDOM, called VDOM-B.

2. Configuring dedicated management for the root VDOM

By default, root is the management VDOM. You use the management VDOM to access the global settings for the FortiGate as well as the settings for each VDOM.

To configure an interface to connect to the management VDOM, go to Global > Network > Interfaces and edit an interface (in the example, mgmt).

Enable Dedicated Management Port and add the management computers as Trusted Host.

Set Administrative Access to HTTPS, PING, and SSH.

3. Assigning interfaces to VDOMs

In this example, you assign two interfaces each to VDOM-A and VDOM-B: one for Internet access and one for use by the local network.

You can’t change the VDOM assignment if an interface is used in an existing FortiGate configuration. You may need to delete existing policies and routes in order to add a particular interface, as some FortiGate models have default configurations.

To assign an interface that provides VDOM-A with Internet access, go to Network > Interfaces and edit an interface (in the example, wan 1).

Set Virtual Domain to VDOM-A and Role to WAN.

Check if your ISP provides an IP address for you to use or if the ISP equipment uses DHCP to assign IP addresses.

If your ISP provides an IP address, set Addressing mode to Manual and set the IP/Network Mask to that IP address.

If your ISP equipment uses DHCP, set Addressing mode to DHCP to allow the equipment to assign an IP address to WAN1.

To assign an interface for the VDOM-A internal network, go to Network > Interfaces and edit the interface (in the example, port 1).

Set Virtual Domain to VDOM-A and Role to LAN.

Set Addressing Mode to Manual, assign an IP/Network Mask to the interface (in the example,, and set Administrative Access to HTTPS, PING, and SSH.

If you need to assign IP addresses to devices on your internal network, enable DHCP Server.

Repeat the above steps to assign interfaces to VDOM-B.

4. Creating per-VDOM administrators

Per-VDOM administrator accounts only allow administrative access to specific VDOMs. By creating per-VDOM administrators, you allow both Company A and Company B to manage their respective VDOMs without allowing access to settings for other VDOMs or the global settings.

To create a per-VDOM administrator for VDOM-A, go to System > Administrators and select Create New > Administrator.

Enter a Username and set Type to Local User. Enter and confirm a Password. Set Administrator Profile to prof_admin.

Remove the root VDOM from the Virtual Domains list and add VDOM-A.

Repeat the above steps to create a per-VDOM administrator for VDOM-B.

5. Configuring the VDOMs

Access VDOM-A using the dropdown menu located in the top-left corner.

To add a static route, go to Network > Static Routes and select Create New.

Set Destination to Subnet and leave the destination IP address set to

Set Gateway to the IP address provided by your ISP and Interface to the Internet-facing interface.

To create a new policy, go to Policy & Objects > IPv4 Policy and select Create New.

Set the Incoming Interface to port 1 and set the Outgoing Interface to wan 1.

Repeat the above steps to configure VDOM-B.

6. Configuring global security profiles for VDOMs

You can create two types of security profiles for VDOMs: per-VDOM profiles that are only available to a specific VDOM, and global security profiles which are available for use by multiple VDOMs. You can use both types of profiles for your configuration.

Global profiles are available for the following security features:

  • Antivirus
  • Application control
  • Data leak prevention
  • Intrusion prevention
  • Web filtering

Each security feature has at least one default global profile. Global profiles are identified by the “g-” at the beginning of the profile name.

Some security profile features, such as URL filters, are not available for use in a global profile.

To edit the default global web filter, go to Global > Security Profiles > Web Filter and edit g-default.

Right-click the Bandwidth Consuming category and select Block.

7. Results

Connect to VDOM-A and log in using the VDOM-A administrator account. Only the per-VDOM options are shown.

To view the default global web filter, go to Security Profiles > Web Filter and select g-default. The VDOM-A administrator can’t edit the profile.

To view a summary of the VDOM configuration, connect to the management VDOM and go to Global > System > VDOM.


For further reading, check out Virtual domains overview in the FortiOS 6.0 Online Help.

Victoria Martin

Victoria Martin

Technical Writer at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

You must use either the prof_admin or a custom profile for per-VDOM administrators.