FortiGate VDOM Configuration — Multi-Tenant Firewall Design & CLI Guide

FortiGate Virtual Domains (VDOMs) let you partition a single physical firewall into multiple independent virtual firewalls — each with its own interfaces, routing table, firewall policies, VPN tunnels, and UTM profiles. Whether you're an MSSP serving multiple clients on one appliance, an enterprise segmenting departments for compliance, or a campus network isolating guest WiFi from production — VDOMs are how you do it on FortiGate. This guide covers everything from enabling VDOMs to NPU-accelerated inter-VDOM routing, with verified CLI commands from the official FortiOS 7.6 documentation.

What is a VDOM?

A VDOM is a logically independent FortiGate instance running on shared hardware. Each VDOM has:

• Its own interfaces (physical ports, VLANs, tunnels assigned exclusively)
• Its own routing table (static, OSPF, BGP, IS-IS — fully independent)
• Its own firewall policies (no cross-VDOM rule inheritance)
• Its own VPN tunnels (site-to-site IPsec, SSL VPN, ZTNA)
• Its own UTM/security profiles (IPS, AV, web filter, app control)
• Its own admin accounts (per-VDOM RBAC for delegated management)

VDOMs share the FortiGate's CPU, memory, and ASIC resources — but you can set per-VDOM resource limits to prevent any single VDOM from monopolizing the hardware.

VDOM Limits Per FortiGate Model

VDOM-UG licenses are stackable: default 10 + FG-VDOM-5-UG + FG-VDOM-15-UG = 30 VDOMs. Sources: Fortinet Community, Max Value Table

Step 1: Enable Multi-VDOM Mode

When you enable VDOMs, all existing configuration moves into the root VDOM. The root VDOM exists by default and cannot be deleted. FortiOS 7.2+ removed the old "split-task" mode — only multi-vdom is supported now.

VDOM Types (FortiOS 7.2+)

• Traffic VDOM — standard VDOM that processes network traffic. Default type for all VDOMs.
• Admin VDOM — management-only VDOM for SSH/HTTPS access. Cannot pass traffic. Only one admin VDOM per FortiGate. Useful for MSSP scenarios where management is completely isolated from customer traffic.

Step 2: Create VDOMs and Assign Interfaces

Key rule: Settings inside config global are shared (interfaces, HA, system settings). Settings inside config vdom > edit <name> are per-VDOM (routing, policies, VPN, UTM). Interfaces default to root VDOM until explicitly reassigned.

Step 3: Inter-VDOM Routing

VDOMs are isolated by default — no traffic flows between them. To enable controlled communication (e.g., customer VDOMs accessing the internet via root), you need inter-VDOM links. There are two types:

Software VDOM Link — CLI Configuration

NPU VDOM Link — CLI Configuration (NP7)

NPU VDOM link throughput with NP7: up to 200 Gbps multi-session, 100 Gbps single-session. Source: FortiOS 7.6.6 Hardware Acceleration Guide

Pro tip: Need to connect more than 2 VDOMs through a single NPU link pair? Create VLAN sub-interfaces on the NPU vlink interfaces. Each VLAN tag connects a different VDOM while retaining full hardware acceleration.

Step 4: Per-VDOM Resource Limits

By default, any VDOM can consume all resources of the entire FortiGate. In multi-tenant environments, this is a noisy-neighbor risk. Set per-VDOM resource limits to prevent one tenant from starving others:

Note: CPU and memory are NOT per-VDOM configurable. All VDOMs share system CPU and RAM. There is no CPU/memory pinning per VDOM in FortiOS. Resource limits only control object counts and session counts.

Step 5: Per-VDOM Admin Accounts

For MSSP or delegated management, create admin accounts restricted to specific VDOMs:

The custA-admin user can only see and manage the CustomerA VDOM. They cannot see root, other customer VDOMs, or global settings. This is essential for MSSP compliance — tenant isolation must extend to management access.

Design Patterns

VDOM vs Competitors

7 Common VDOM Mistakes

1. Forgetting to assign interfaces — New VDOMs have no interfaces until you explicitly assign them. Interfaces default to root.
2. Running diagnose sys session clear without a filter — This clears ALL sessions across ALL VDOMs. Always set diagnose sys session filter vd <index> first.
3. Inter-VDOM routing loops — Two VDOMs with default routes pointing at each other. Use asymmetric routing or policy-based routing to break the loop.
4. PPP vs Ethernet type mismatch — NAT-mode VDOM connecting to Transparent-mode VDOM requires Ethernet type, not the default PPP.
5. Missing inter-VDOM firewall policies — Traffic between VDOMs still needs explicit firewall policies on the link interfaces. Without them, traffic is implicitly denied.
6. MTU issues on VDOM links — Default MTU on software vdom-links may cause fragmentation. Verify with fnsysctl ifconfig <interface> and adjust.
7. No resource limits in multi-tenant — Without config system vdom-property, one tenant can exhaust all sessions/policies and impact everyone else.

Diagnostic Commands Quick Reference

FortiManager + VDOM: ADOM Integration

FortiManager uses ADOMs (Administrative Domains) to group managed devices — including multi-VDOM FortiGates. Key facts:

• Each policy package can be targeted to a specific VDOM on a managed FortiGate
• In Advanced ADOM mode, individual VDOMs from a multi-VDOM FortiGate can be assigned to separate ADOMs (requires super user)
• FortiManager can create VDOMs remotely and push configurations to them
• Best practice: one policy package per managed VDOM to reduce admin error

Source: FortiManager 6.2.1 — Assigning VDOMs to an ADOM

India Use Cases

Need Help with VDOM Design?

Ogma designs and deploys multi-VDOM FortiGate architectures for Indian enterprises — from single-appliance campus segmentation to multi-site MSSP platforms. Our NSE 4-7 certified engineers handle the full lifecycle: design, deployment, inter-VDOM routing, FortiManager integration, and ongoing management.

Email [email protected] or contact us for a VDOM architecture consultation.