The Problem VDOMs Solve
Most FortiGate boxes sitting in SMB environments are running in single-VDOM mode. The engineers who deployed them either didn’t know VDOMs were available or assumed it was an enterprise-only feature. It isn’t.
A FortiGate 60F or 100F supports up to 10 VDOMs out of the box, no additional license required. That’s enough to completely segment your network — corporate from guest, IoT from everything else — on hardware you already own.
This post covers exactly how to configure VDOMs on FortiOS 7.4. The environment is a FortiGate 100F, but the steps apply to any supported model. We’ll walk through enabling multi-VDOM mode, creating a second VDOM for guest and IoT traffic, assigning physical interfaces, building inter-VDOM links, and setting up routing on both sides.
Fair warning upfront: enabling VDOM mode reboots the device. Do not do this during business hours on a production box without a change window.
What You’re Building
Real-world scenario: one FortiGate 100F, two logical firewalls.
- Root VDOM: handles corporate traffic — full UTM, SSL inspection, Entra ID SAML authentication
- Guest VDOM: handles guest and IoT traffic — basic web filtering, rate limiting, no access to corporate subnets
The Guest VDOM doesn’t have its own WAN connection. It reaches the internet through an inter-VDOM link into root, which then forwards traffic out the corporate WAN.
Step 1: Plan Your Interface Allocation Before You Touch Anything
This is the step people skip and then regret. Once an interface is assigned to a VDOM, it’s gone from every other VDOM. You cannot share a physical interface between VDOMs.
Before enabling VDOMs, write down:
- Which physical ports serve corporate traffic (stay in root)
- Which physical ports serve guest/IoT (move to Guest VDOM)
- Which port is your WAN (stays in root)
- Which port is your management interface (stays in root)
For this example:
- port1: WAN (root)
- port2: Corporate LAN (root)
- port3: Guest/IoT LAN (Guest VDOM)
If port3 currently has firewall policies referencing it, those need to be deleted before you can reassign it. You’ll hit an “Object is in use” error otherwise.
Step 2: Enable Multi-VDOM Mode
You can do this in the GUI under System > Settings, toggle on Virtual Domains, then confirm. The unit will log you out and reboot.
Or via CLI:
config system global
set vdom-mode multi-vdom
end
The device reboots automatically after this command. When it comes back up, your entire existing configuration is now living inside the root VDOM. Nothing is lost, but your mental model has shifted — you are now always operating inside a VDOM context when making configuration changes.
Log back in. You’ll notice the GUI now shows a VDOM selector at the top. This is your signal that multi-VDOM mode is active.
Step 3: Create the Guest VDOM
GUI: Navigate to System > VDOM > Create New. Name it Guest. Set the VDOM type to Traffic. The Admin type is reserved for management-only VDOMs — you almost certainly want Traffic.
CLI:
config vdom
edit "Guest"
end
That’s it. The VDOM now exists. It has no interfaces, no routes, and no policies. You’ll build those next.
Step 4: Assign Physical Interfaces to VDOMs
Now you move port3 from root into the Guest VDOM.
GUI: Go to Network > Interfaces, edit port3, and change the Virtual Domain field to Guest.
CLI (make sure you’re in the global context, not inside a VDOM):
config system interface
edit "port3"
set vdom "Guest"
next
end
After this, if you navigate into the Guest VDOM context in the GUI, you’ll see port3 listed there. It no longer appears in root.
Assign port3 its IP address while you’re in the Guest VDOM context:
config vdom
edit "Guest"
config system interface
edit "port3"
set ip 192.168.100.1 255.255.255.0
set allowaccess ping
next
end
Step 5: Create the Inter-VDOM Link
The Guest VDOM needs internet access, but it doesn’t have a WAN port. Traffic has to traverse from Guest into root, then exit through root’s WAN.
Inter-VDOM links are virtual point-to-point interfaces. When you create one, FortiOS automatically generates two interface endpoints — one in each VDOM you specify.
CLI (run from global context):
config system vdom-link
edit "root-to-guest"
set type ppp
next
end
This creates two interfaces: root-to-guest0 (in root) and root-to-guest1 (in Guest). Now assign IP addresses to each end.
In root VDOM context — assign the root-side interface:
config vdom
edit "root"
config system interface
edit "root-to-guest0"
set ip 10.10.10.1 255.255.255.252
set allowaccess ping
next
end
In Guest VDOM context — assign the guest-side interface:
config vdom
edit "Guest"
config system interface
edit "root-to-guest1"
set ip 10.10.10.2 255.255.255.252
set allowaccess ping
next
end
Step 6: Configure Routing on Both VDOMs
Each VDOM maintains its own completely independent routing table. You need to configure routes in both.
Guest VDOM needs a default route pointing to root’s inter-VDOM link IP:
config vdom
edit "Guest"
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set gateway 10.10.10.1
set device "root-to-guest1"
next
end
Root VDOM needs a return route for the Guest subnet:
config vdom
edit "root"
config router static
edit 2
set dst 192.168.100.0 255.255.255.0
set gateway 10.10.10.2
set device "root-to-guest0"
next
end
Step 7: Create Firewall Policies on Both VDOMs
This is the part people miss. Traffic crossing an inter-VDOM link has to be explicitly permitted by firewall policies on both sides of the link.
Guest VDOM — allow Guest LAN to exit through the inter-VDOM link toward root:
config vdom
edit "Guest"
config firewall policy
edit 1
set name "Guest-to-Root"
set srcintf "port3"
set dstintf "root-to-guest1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
Root VDOM — allow traffic coming in from the Guest inter-VDOM link to exit through WAN:
config vdom
edit "root"
config firewall policy
edit 10
set name "GuestVDOM-to-WAN"
set srcintf "root-to-guest0"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
Apply your UTM profiles and rate limiting to the root-side policy as appropriate.
Step 8: Verify the Configuration
Check all VDOMs and their operational status:
diagnose sys vd list
This shows each VDOM, its type, number of interfaces, and whether it’s enabled. If a VDOM isn’t showing traffic, start here.
Verify interfaces from inside a VDOM context:
config vdom
edit "Guest"
get system interface
Check the routing table for a specific VDOM:
config vdom
edit "Guest"
get router info routing-table all
Test connectivity from the Guest VDOM:
config vdom
edit "Guest"
execute ping 8.8.8.8
Troubleshooting Common Errors
Error: “Object already exists” or “Object is in use” when reassigning an interface
The interface has firewall policies, routes, or DHCP servers referencing it. You cannot reassign it until those are removed. Go into the VDOM that currently owns the interface, delete any policies that reference it, remove any static routes using it, and disable any DHCP servers on it. Then retry the reassignment.
Error: “Maximum number of VDOMs reached”
You’ve hit the VDOM limit for your model or license. Verify your current count and license with:
get system status
Look for Virtual Domain Configuration in the output. FortiGate 60F and 100F both support 10 VDOMs on the base license. If you need more, you need a VDOM license add-on — verify availability for your specific model on the Fortinet datasheet before quoting a client.
Inter-VDOM traffic not passing despite correct policies
First verify the inter-VDOM link interfaces are up on both ends:
diagnose sys vd list
get system interface
Then confirm policies exist in both VDOMs — one to permit traffic out of Guest toward the link, one to permit traffic coming from the link in root toward WAN. A missing policy on either side will silently drop traffic. Run a packet sniffer to confirm where it’s dying:
diagnose sniffer packet root-to-guest0 "icmp" 4 10
Commands not applying — configuration changes seem to have no effect
You’re almost certainly in the wrong VDOM context. When you SSH into a multi-VDOM FortiGate, you land in the management VDOM (root by default). If you’re trying to configure the Guest VDOM, you must switch context first:
config vdom
edit "Guest"
Now any config commands you run apply to Guest. It’s easy to forget this, especially when working quickly.
GUI shows no interfaces in a newly created VDOM
This is expected. A new VDOM has no interfaces until you explicitly assign them. Go to Network > Interfaces in the global view and reassign the appropriate ports to your new VDOM.
FAQ
What is a VDOM on FortiGate?
A VDOM (Virtual Domain) is a logical partition on a FortiGate that functions as an independent firewall instance. Each VDOM has its own interfaces, routing table, firewall policies, UTM profiles, and administrators. From a traffic perspective, VDOMs on the same physical box behave like completely separate firewalls. The primary use case is network segmentation — running isolated security domains on shared hardware.
How many VDOMs does FortiGate support?
It depends on the model. FortiGate 60F and 100F both support up to 10 VDOMs with the base license. Higher-end models support more. If you need to exceed the base limit on any model, Fortinet offers VDOM license upgrades. Always check the current datasheet for your specific model and FortiOS version — these limits can change across hardware revisions. Verify your current allowance with get system status.
How to enable VDOM on FortiGate?
Via CLI:
config system global
set vdom-mode multi-vdom
end
Via GUI: System > Settings, toggle on Virtual Domains. Either method triggers a reboot. Your existing configuration moves into the root VDOM automatically. Schedule this during a maintenance window on production devices.
What is the difference between VDOM and VLAN on FortiGate?
They solve different problems. A VLAN is a Layer 2 segmentation mechanism — it separates broadcast domains on physical switches and can be trunked to firewall subinterfaces. A VDOM is a full logical firewall instance — it has its own routing table, security policies, administrator accounts, and UTM configuration. You can run VLANs inside a VDOM, and different VDOMs can each have their own VLANs. VDOMs are about administrative and security isolation at the firewall level. VLANs are about network segmentation at Layer 2.
How to configure inter-VDOM routing on FortiGate?
Create a vdom-link under config system vdom-link. This generates two virtual interface endpoints. Assign IP addresses to each end inside their respective VDOM contexts. Add a default route in the downstream VDOM pointing to the upstream end of the link. Add a return route in the upstream VDOM for the downstream subnet. Create firewall policies in both VDOMs explicitly permitting the traffic. All steps are covered in detail in Steps 5 through 7 above.
Can you use VDOMs on FortiGate 60F?
Yes. The FortiGate 60F supports up to 10 VDOMs with the base license under FortiOS 7.4. No additional license is required to get started. The 60F is a legitimate option for small-site VDOM deployments. Just be aware of the inter-VDOM link throughput — virtual interfaces don’t have dedicated hardware paths. For a guest/IoT segmentation use case with moderate traffic, it performs fine in practice.
How to switch between VDOMs in FortiGate CLI?
From any point in the CLI:
config vdom
edit "Guest"
To return to the global context:
end
To verify which VDOM context you’re currently in, look at your CLI prompt — it typically shows the VDOM name. You can also run diagnose sys vd list to see all VDOMs. Remember: when you first SSH in, you’re in the management VDOM (root). All configuration commands run without switching context will apply to root.
Conclusion
VDOMs are one of the most practical ways to extend the value of a FortiGate you already own. The configuration is not complex once you understand the mental model — separate routing tables, separate policy sets, inter-VDOM links as virtual cables between them.
The three things that trip people up most often: forgetting to plan interface allocation before enabling VDOM mode, missing the firewall policy requirement on both sides of an inter-VDOM link, and accidentally running CLI commands in the wrong VDOM context.
Get the planning right upfront and the rest follows logically.
Two adjacent posts on this site that come up most often after a multi-VDOM build: FortiGate IPsec Site-to-Site VPN to Cisco ASA on FortiOS 7.4 for building per-VDOM tunnels (each VDOM keeps its own phase1-interface and routing), and FortiGate Admin Password Reset on FortiOS 7.6 for the recovery path — admin reset on multi-VDOM boxes still happens at the global level, but knowing the maintainer-account window matters more once a single device is hosting several logical firewalls. The full FortiGate curated path lives in the FortiGate Field Guide.