What are FortiGate VDOMs and why are they useful?

I'll keep this post short and to the point 😄. The term VDOM stand for "Virtual Domain" and it's a feature that essentially divides a FortiGate firewall into separate logical units (domains). This allows for deeper and more comprehensive separation of a firewall.

Each VDOM has completely separate policies and routing tables. By default, VDOMs don't communicate with one another at all. You can (theoretically) have separate firewall interfaces in different VDOMs using the exact same IP and avoid conflicting with one another.

There's a lot of various reasons why someone might want to use this feature. Here are a few possibilities:

• Multi-Tenancy for Service Providers - If you're hosting a beefy firewall in a data center for multiple customers, it's important that those environments have complete isolation.
• Security Zones and Network Segmentation - It's a good practice to have strong isolation between environments that don't need to overlap. For example, if you have a guest wireless network that only needs outbound internet access, it might be worth keeping that off the internal network for employees.
• Testing and Development - It's probably not a good idea to test things in production 😄. Having a completely isolated VDOM for testing/pre-production can contain accidental issues.

For more information, check out the following links.

VDOM overview | Administration Guide

Fortinet docs logo

Virtual Systems Overview

Techdocs Logo

Logical Systems and Tenant Systems Overview | Junos OS | Juniper Networks

With the Junos operating system (Junos OS) on SRX Series Firewall, you can partition a single security device into multiple logical devices that can perform independent tasks. Because logical systems perform a subset of the tasks once handled by the main device, logical systems offer an effective way to maximize the use of a single security platform.

Juniper Networks