cyber-101

What is split-task VDOM mode on FortiGates?

Examining a nifty feature for separating management functions.

Mike Berggren

25 Jul 2025 — 3 min read

💡

This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

In earlier articles, we've chatted briefly about FortiGate Virtual Domains (VDOMs) and how they can be used to essentially divide up a firewall into separate virtual firewalls that operate distinct from one another. In a traditional VDOM setup (where you just enable VDOMs), each VDOM can perform both management and traffic processing tasks. Sometimes that approach makes sense (especially for fairly small/simple deployments)... for other times though, admins may want to logically separate the management plan functions from data plane functions. That's where the option for Split-Task VDOM mode comes in.

Split-Task VDOM mode (sometimes referred to as just "Split VDOM mode") is a configuration option on FortGates that allow the firewall to separate management plane functions from data plane functions. Basically when you enable this mode, the FortiGate creates (or designates) two types of VDOMs:

Management VDOM (often called the root VDOM)
- This is dedicated to handling all management-related tasks for the entire FortiGate unit.
- This includes functions such as:
  - GUI and CLI access
  - Logging and reporting
  - Firmware upgrades
  - FortiGuard updates
  - SNMP, NTP, DNS for the FortiGate itself
Traffic VDOM(s) (often called fg-traffic or custom names).
- These VDOMs are exclusively dedicated to processing user data traffic and applying security policies.
- This includes functions such as:
  - Firewall policies
  - Routing
  - Security profiles
  - VPN tunnels
  - SD-WAN
  - Etc etc.

So you might be thinking: Mike, this seems unnecessarily complex... why would you want management stuff to be separate? There's are a few reasons:

Enhanced Security - Isolating control plane from the rest of the data plane traffic helps to reduce the attack surface (because less services are running on the user data-facing interfaces).
Improved stability and performance - Having management tasks (e.g. console authentication, config changes, etc) separated off and using dedicated CPU/memory resource further reduces impact from heavy network utilization. Note that the reverse mindset is also true: in this model, some resources would always be reserved for management (even if you didn't need it).
Logically-aligned troubleshooting - This one is a bit subjective, but in theory, having all management plane activities happening within a common VDOM can help with diagnosing and troubleshooting.

Note that I said "logically aligned" for point #3, because I'm trying to avoid using the word "simple". This whole feature is really intended for larger, more complex deployments or environments that have strict security needs. Smaller deployments might not gain significant benefits to justify deploying this way.

Sound interesting? Check out these resources for more details: