TTechclick All lessons
Fortinet · FortiGate · VDOMs (Multi-Tenancy)🔥 ~40% interview hit · #10 frequency · MSP / senior drillInteractive · L2 / L3 / MSP

FortiGate VDOMs and Multi-Tenancy — Split-Task, Inter-VDOM Links and MSP Patterns in 11 Minutes

One physical FortiGate, twelve customer tenants, zero blast-radius. That's the VDOM promise — and the round in Indian enterprises, MSPs, and banking + fintech IT teams senior interviews where most L1s freeze. Inter-VDOM link NPU offload, admin scope, resource quotas, the silent FortiGuard-routing trap — this blog gets you to the L3 answer.

📅 2026-05-26 · ⏱ 11 min · 5 SVG infographics · 2 packet visualizers · 🏷 10-Q Bloom-tiered assessment + AI Tutor

Pick your path — jump to your weak spot

1

VDOM modes basics

Single, split-task and multi-VDOM — what each one actually does + when to pick which.

 2

Inter-VDOM links

Software vs NPU-accelerated, when offload kicks in, why pairs are mandatory.

 3

Multi-tenancy security

Admin scopes, overlapping IPs, resource quotas, the FortiJump ADOM lesson.

 4

MSP scale patterns

12-customer FortiGate-200F pair, license uplift, the route-from-customer trap.

Why this matters — the office-building rule

Picture a six-floor office building in Hinjewadi, Pune. Same address (one physical FortiGate). Different floors house different companies — floor 2 is a bank, floor 3 a retail chain, floor 4 an insurance broker. Each tenant has its own door (interfaces), its own lift (routing table), its own keys (admin scope), and the ground-floor lobby (the management VDOM) handles shared utilities — internet uplink, FortiGuard updates, monitoring. VDOMs are that office building, made out of firewall.

Get this metaphor and the next 11 minutes are easy. Miss it and an MSP interview at an Indian enterprise, an Indian IT services firm, an Indian IT services firm, an Indian MSP or an Indian security firm ends in the first 90 seconds — because their entire managed-security business runs on shared FortiGate iron.

Scenario · Anil — MSP architect serving 12 customer VDOMs (MSP architect)

Anil runs the Managed Security pod for an an MSP serving 12 customer VDOMs client. One FortiGate-200F HA pair hosts 12 customer tenants — a banking client, a retail chain, an insurance broker, plus 9 mid-sized SMBs. Each tenant insists on its own SOC dashboard, its own internet break-out, zero visibility into the others.

The client's compliance auditor walks in. Question one: "Can a junior engineer accidentally see banking customer logs while troubleshooting the retail tenant?" Anil's answer hinges on three things — VDOM admin scope, inter-VDOM link isolation, and resource quotas. We'll walk through exactly how he answers all three.

FortiGate-200F multi-VDOM architecture — one box, four tenants Single physical FortiGate-200F divided into four logical Virtual Domains. The mgmt VDOM (root) owns the wan1 internet uplink and FortiGuard. Customer-A (banking, 10.71.1.0/24), Customer-B (retail, 10.72.1.0/24), and Customer-C (insurance, 10.73.1.0/24) each have their own VLAN sub-interfaces and routing tables. Inter-VDOM links connect each customer to mgmt for internet egress and FortiGuard. FortiGate-200F · multi-VDOM · Anil's MSP fleet (12 customers) Physical FortiGate-200F (HA pair) mgmt VDOM (root) wan1: 203.0.113.60/29 · default route · FortiGuard · MSP SSH-jumphost accprofile: super_admin · owns global config Customer-A · Banking VLAN 71 on port5 10.71.1.0/24 policies, NAT, IPS, SSL VPN profile VDOM admin: bank_l1 scoped read/write Customer-B · Retail VLAN 72 on port5 10.72.1.0/24 policies, NAT, AppCtrl, WebFilter VDOM admin: retail_l1 scoped read/write Customer-C · Insurance VLAN 73 on port5 10.73.1.0/24 policies, NAT, DLP, SSL inspection VDOM admin: ins_l1 scoped read/write inter-VDOM link inter-VDOM link inter-VDOM link Shared physical interfaces: wan1 (Internet · mgmt VDOM only) · port5 (LAN trunk · VLAN 71/72/73 sub-ints split per VDOM) · ha1/ha2 (HA sync) One box. Four routing tables. Four policy sets. Three customer admins who can't see each other's logs. All customer internet egress flows up through inter-VDOM links into mgmt → wan1.
Figure 1. Anil's multi-tenant FortiGate-200F. The mgmt VDOM owns the public uplink and FortiGuard licensing. Each customer VDOM is a fully separate firewall — own interfaces, own routes, own admins. Inter-VDOM links (dashed green) carry traffic between them.

The three modes — what your interviewer is testing

FortiOS gives you three operating modes, set globally per device. Single VDOM is the default — one implicit `root` VDOM, no multi-tenant separation. Split-task VDOM mode locks the box into exactly two VDOMs — `root` (management-only, no traffic processing) and `FG-traffic` (production policies). It's a security-hardening play, not a multi-tenant play. Multi-VDOM mode is what Anil uses — up to 10 VDOMs free on FortiGate-200F, more with a license uplift, each a complete virtual firewall.

🏢
VDOM
tap to flip

Virtual Domain — full firewall inside the box. Own interfaces, routes, policies, NAT, admins, resource quota. Default root is the first VDOM on every device.

🛗
Mgmt VDOM
tap to flip

The lobby — VDOM that owns the FortiGuard licensing pull, NTP, SNMP, log forwarding. Set once globally with set management-vdom <name>. Defaults to root.

⚖️
Split-task
tap to flip

2-VDOM mode: root handles mgmt only (no traffic), FG-traffic handles all production policies. Cleanly separates device admin from policy admin. Hardening pattern.

🔗
Inter-VDOM link
tap to flip

A virtual point-to-point cable between two VDOMs. Created as a pair (one end in VDOM-A, the other in mgmt). Traffic flows through it like a physical inter-router link — including a normal policy lookup at each end.

🔑
VDOM admin scope
tap to flip

An admin user can be tied to one or more VDOMs via accprofile. A scoped VDOM admin cannot see global settings — common interview trap. Only a super_admin in mgmt VDOM sees everything.

📊
Resource quota
tap to flip

Per-VDOM CAP (not reserve) on sessions, dial-up users, policies, addresses, IPsec tunnels, etc. Limits worst-case impact one noisy tenant has on the rest. Caps are ceilings, not guarantees.

Watch a packet hop across an inter-VDOM link

This is where most candidates get tripped. The interviewer says: "User on Customer-A wants google.com — walk me through the packet path." The right answer names two policy lookups, two routing decisions, and one NAT — all inside the same box. The infographic below summarises the 5 hops as boxes — the visualizer underneath steps through each with narration.

Inter-VDOM packet flow — Customer-A 10.71.1.50 reaches internet via mgmt VDOM Linear left-to-right flow of five boxes. Box 1: Customer-A user 10.71.1.50 wanting internet. Box 2: routing inside Customer-A VDOM directs packet to inter-VDOM link. Box 3: traffic enters mgmt VDOM via the link. Box 4: mgmt VDOM applies SNAT translating source IP. Box 5: packet egresses wan1 toward Google. Inter-VDOM-link packet path · Customer-A user → Internet via mgmt VDOM ① User in cust-a 10.71.1.50 wants 142.250.183.78 (Google · port 443) VLAN 71 on port5 ② cust-a routing default route in cust-a VDOM points to cust-a-vlink1 policy lookup #1 ③ Inter-VDOM link cust-a-vlink1 (cust-a) ↕ wire ↕ cust-a-vlink0 (mgmt) VDOM context flips ④ mgmt VDOM NAT policy lookup #2 SNAT src 10.71.1.50 → 203.0.113.62 via mgmt-public pool ⑤ Egress wan1 leaves wan1 toward 203.0.113.57 (ISP GW) FORWARD ✓ Senior-interview rule: count the policy lookups. Inter-VDOM-link traffic ALWAYS hits two policy lookups — one in source VDOM, one in destination VDOM — because each VDOM is its own firewall. Forget either policy and packets die mid-flight.
Figure 2. The five hops a packet takes when a Customer-A user reaches the internet via mgmt VDOM. Two policy lookups, one NAT — both VDOMs need an explicit allow for the inter-VDOM link traffic.
Visualizer · Customer-A user reaches the internet

5 stages — see how the packet enters Customer-A VDOM, crosses the inter-VDOM link, hits mgmt VDOM, gets NAT'd, and egresses wan1.

Stage 1 · Ingress Packet arrives on port5.71 (VLAN 71). VDOM context = Customer-A.
src=10.71.1.50 dst=142.250.183.78 (Google)
Stage 2 · Routing in Customer-A Default route in Customer-A VDOM points to inter-VDOM link v-cust-a0.
Stage 3 · Inter-VDOM link · policy lookup #1 Customer-A policy "allow cust-a internal → mgmt-link · srvc ALL · nat enable" matches.
NAT pool here would be local — but Anil chose to NAT at mgmt instead. Action: ACCEPT no NAT.
Stage 4 · Enter mgmt VDOM · policy lookup #2 VDOM switches. mgmt VDOM policy "allow link-from-cust-a → wan1 · srvc ALL · nat enable, IP-pool mgmt-public" matches.
src=10.71.1.50 → 203.0.113.62 (SNAT on mgmt-public)
Stage 5 · Egress wan1 Packet leaves wan1 toward Google. Return traffic walks the reverse path — session table in BOTH VDOMs carries state.
Press Play to step through the 5 stages — same physical FortiGate, but two distinct VDOM contexts.
Pause & Predict #1

Anil powers up a freshly-cabled Customer-D VDOM and adds a default route inside that VDOM pointing to 203.0.113.57 (the upstream ISP gateway, reachable only from mgmt VDOM). The route shows as up. Pings to 8.8.8.8 fail. Why?

The default route in Customer-D is dangling. The upstream gateway 203.0.113.57 is reachable from mgmt VDOM (which owns wan1), not from Customer-D. A default route in Customer-D can only point to one of its own interfaces — typically an inter-VDOM link with mgmt. Without that link in place, the customer VDOM has no path to FortiGuard either. Fix: config global → config system vdom-link → edit cust-d-link0 creates the pair; then default route in Customer-D points to the link's mgmt-side IP.
Quick check · Q1 of 10

Priya at an Indian IT services firm Bengaluru is a new VDOM admin scoped to Customer-B (retail). She logs in via SSH and tries config system interface → edit wan1 to change the wan1 IP. The CLI returns "command parse error". Why?

Correct: b. This is the #1 VDOM admin-scope trap. A scoped VDOM admin sees ONLY their VDOM's namespace. Global interfaces (wan1, mgmt, ha1) and global system settings are invisible — `config global` is denied. To grant cross-VDOM access, give the admin accprofile with multiple VDOMs or super_admin. Option a and c are red herrings — the error happens at parse time, before any interface state is queried.

Inter-VDOM link — software path vs NPU offload

The single biggest senior-interview drill is "when does an inter-VDOM link get NPU offload?" because it directly impacts CPU usage on busy MSPs. Default inter-VDOM links are software-only — every packet between VDOMs walks the CPU. On a 12-customer FortiGate-200F at peak hours that adds up fast. NPU-accelerated inter-VDOM links bypass the CPU for established sessions — but require specific hardware conditions.

Software-only vs NPU-accelerated inter-VDOM link Side-by-side comparison of two inter-VDOM link types. The left column shows a software-only link with every packet traversing the CPU. The right column shows an NPU-accelerated link with packets 2 and onward bypassing the CPU, but listing the conditions required: NP6 or NP7 chip, both ends of the link on NPU-bound interfaces, same NP, no UTM proxy inspection. Inter-VDOM link — Software-only vs NPU-accelerated Software-only (default) NPU-accelerated How it's created Auto-created when you reference an inter-VDOM link via config system vdom-link. Packet path Every packet → kernel → CPU policy lookup → kernel → other VDOM CPU. Throughput ceiling Limited by CPU. On FG-200F at 12-VDOM peak, CPU saturates well before line-rate. When to live with it Low-volume mgmt traffic (FortiGuard, logging). Or when you need UTM inspection (which forces software path). How it's created Same CLI but uses npu0_vlink0/1 pre-built virtual interfaces on the NP. Packet path Packet 1 → CPU (policy install). Packets 2+ → NPU fast-path, line-rate. Conditions to qualify NP6 / NP7 chip · both VDOMs use same NP · NO UTM proxy on the flow. When you want it High-volume tenant-to-internet traffic. Anil's 12-customer egress through mgmt VDOM uses npu0_vlink for SNAT. Rule of thumb: keep low-volume mgmt links software, push bulk traffic links onto NPU vlinks. UTM proxy inspection (DLP, deep SSL) on the link breaks NPU offload — falls back to software.
Figure 4. Software-only inter-VDOM links work everywhere but cost CPU. NPU vlinks need an NP6/NP7 chip and clear-flow conditions. UTM proxy inspection on the link drops it back to software — the most common reason a "should be fast" link is suddenly slow.
Pro tip · always create inter-VDOM links in pairs

The CLI config system vdom-link looks like one object, but it expands to two virtual interfaces — one each side. If you only configure one end (e.g. add an IP to cust-a-link0 in Customer-A but forget cust-a-link1 in mgmt), packets enter the link and die. Always assign IPs on both ends before testing.

Quick check · Q2 of 10

Karthik at an Indian enterprise Chennai sees CPU on a FortiGate-200F MSP box hit 92% during evening peak. diag sys top shows ipsengine on top, but UTM is off on inter-VDOM links. Anil suspects software-path inter-VDOM links. What's the BEST first verification step?

Correct: b. NPU session stats tell you exactly how many sessions are offloaded vs falling back to CPU. If software counter is climbing, the inter-VDOM link isn't qualifying for NPU offload — usually because either (i) it's a plain software vlink instead of npu0_vlink, (ii) one end touches a non-NPU interface, or (iii) a UTM profile silently activated. Reboot, HA changes and OS upgrade all skip the diagnosis step — auditor red flags.

Decision tree — which VDOM mode for your use case?

Most candidates instinctively pick multi-VDOM mode for everything. That's wrong. The right answer depends on whether you need multi-tenancy, security separation, or just neat defaults. Use this tree.

VDOM mode decision tree Branching tree starting from whether tenants need full isolation, leading to multi-VDOM mode, or whether the goal is just to separate device admin from policy admin, leading to split-task VDOM mode, or staying with default single VDOM otherwise. Includes a red callout that scoped VDOM admins cannot see global settings. Which VDOM mode do I need? Do tenants / departments need full traffic + admin isolation? YES → Multi-VDOM mode MSP / enterprise dept separation config system global set vdom-mode multi-vdom NO → Need device-admin / policy-admin role separation only? YES NO Split-task VDOM root (mgmt) + FG-traffic Single VDOM default · simplest ⚠ Common interview trap A scoped VDOM admin (accprofile pointing only at Customer-A) cannot see global system settingsno wan1, no NTP, no SNMP, no config global. This is by design (multi-tenancy isolation), but candidates often report it as a "bug" in interviews. Only super_admin in mgmt VDOM sees everything. CLI to verify: execute enter <vdom> · then get system global → "permission denied" All three mode changes are disruptive — FortiOS reboots the device after set vdom-mode commits. Plan a change window. Config from one mode does NOT auto-migrate to another.
Figure 3. The VDOM-mode decision tree. The red callout is what burns candidates — scoped VDOM admins cannot see global settings, and most candidates think this is a bug, not a security feature.

Configuration walkthrough — Anil enabling multi-VDOM

Anil's clean-room build, sized for the 12-customer MSP load. Note the reboot in the middle.

CLI · enable multi-VDOM mode (FortiGate-200F, FortiOS 7.6) 
FG200F # config system global
FG200F (global) # set vdom-mode multi-vdom
FG200F (global) # end

This will disconnect any current sessions. The system will reboot. Continue? (y/n) y

FG200F login: admin
FG200F # config global
FG200F (global) # config system vdom
FG200F (vdom) # edit cust-a
FG200F (cust-a) # next
FG200F (cust-a) # edit cust-b
FG200F (cust-b) # next
FG200F (cust-b) # edit cust-c
FG200F (cust-c) # end
Expected output · diag sys vd list 
name=root/root index=0 enabled
   uses_global_route=0  uses_global_arp=0
name=cust-a/cust-a index=1 enabled
name=cust-b/cust-b index=2 enabled
name=cust-c/cust-c index=3 enabled
4 vdoms exist; 1 mgmt-vdom; max-vdoms=10 (license: base)

Then Anil creates the inter-VDOM link pair between mgmt (root) and cust-a:

CLI · create inter-VDOM link pair 
FG200F (global) # config system vdom-link
FG200F (vdom-link) # edit cust-a-vlink
FG200F (cust-a-vlink) # set type ppp
FG200F (cust-a-vlink) # next
FG200F (vdom-link) # end

FG200F (global) # config system interface
FG200F (interface) # edit cust-a-vlink0
FG200F (cust-a-vlink0) # set vdom root
FG200F (cust-a-vlink0) # set ip 10.255.71.1 255.255.255.252
FG200F (cust-a-vlink0) # next
FG200F (interface) # edit cust-a-vlink1
FG200F (cust-a-vlink1) # set vdom cust-a
FG200F (cust-a-vlink1) # set ip 10.255.71.2 255.255.255.252
FG200F (cust-a-vlink1) # end
Verify · two commands every L3 reaches for

diag sys vd list — confirms VDOMs are up, shows mgmt VDOM, surfaces the active VDOM count vs max.

diag sys resource vdom usage — shows current sessions / policies / addresses / IPsec tunnels per VDOM, and compares against the per-VDOM quota. Use this in audits, capacity planning, and noisy-neighbour debugging.

Overlapping subnets — three banks, one 192.168.1.0/24

This is the question every MSP architect dreads in an interview. Three customers, all using 192.168.1.0/24 internally (because everyone copies the same Cisco router default). On a shared FortiGate the answer is "yes, perfectly fine — each VDOM has its own routing table." But routing isn't enough — return traffic needs unique source IPs. The trick is NAT on the mgmt-side of each inter-VDOM link.

Visualizer · Three VDOMs serve overlapping 192.168.1.0/24

Same private subnet inside three customer VDOMs. NAT on each inter-VDOM link gives each customer a distinct public-facing source — return traffic finds its way home.

Stage 1 · Cust-A sources User 192.168.1.50 (Customer-A VDOM) wants 203.0.113.200.
Same time, 192.168.1.50 in Cust-B and Cust-C are doing the same thing.
Stage 2 · Each VDOM has its own routing Cust-A routes via vlink-a → mgmt. Cust-B via vlink-b → mgmt. Cust-C via vlink-c → mgmt.
No collision — VDOM-scoped FIB.
Stage 3 · NAT inside mgmt VDOM Cust-A traffic SNAT → 203.0.113.71
Cust-B traffic SNAT → 203.0.113.72
Cust-C traffic SNAT → 203.0.113.73
Stage 4 · All three flows egress wan1 Distinct source IPs, distinct sessions in the kernel session table — no ambiguity at upstream router.
Stage 5 · Return path Return packet to 203.0.113.72 → mgmt session table identifies the inbound DNAT → routes to Cust-B's vlink → reaches the Cust-B 192.168.1.50 user.
Press Play — three identical private subnets served simultaneously through one box.
Pause & Predict #2

Anil sets per-VDOM session quota = 50,000 on Customer-B (default would be unlimited). Customer-B's WhatsApp Web traffic surges past 50K sessions. What happens to Customer-A and Customer-C?

Customer-A and Customer-C are untouched. The quota CAPS Customer-B at 50K — new sessions for Cust-B beyond that are dropped at the kernel. But the cap doesn't reserve resources for the others — it just protects them from the noisy neighbour by setting a ceiling on B. Cust-A and Cust-C continue using whatever shared pool is left. This is the most-missed VDOM nuance: quotas are caps, not reservations. Verify with diag sys resource vdom usage — shows current usage and configured cap per VDOM.

The mgmt-VDOM route trap (#1 senior question)

Every senior round at an Indian MSP and an Indian security firm asks some variant of this: "A customer VDOM can't reach FortiGuard for updates — what's the first place you check?" The answer is the default route.

Common mistake · default route in a non-mgmt VDOM can't reach FortiGuard

Symptom: Customer-A VDOM shows IPS signatures stale, AV definitions not updating. Internet egress for end-users works fine.

Cause: FortiGuard pulls are initiated from the mgmt VDOM only. A default route inside Customer-A points to the inter-VDOM link, which is correct for user traffic, but Customer-A itself is not the entity making the FortiGuard call — mgmt is. Without a working default route in mgmt VDOM, FortiGuard fails everywhere.

Fix: Confirm get system global | grep management-vdom shows mgmt VDOM (root). Then verify get router info routing-table all inside mgmt VDOM shows a default route. The customer's view never matters for FortiGuard — only mgmt VDOM does.

Quick check · Q3 of 10

Sneha at an Indian IT services firm Pune asks: "Can Customer-A and Customer-B use the exact same private subnet 192.168.1.0/24 on the same FortiGate?"

Correct: c. VDOMs are full network namespaces — own FIB, own ARP, own session table. Overlapping internal subnets are perfectly legal because each VDOM resolves them in isolation. Return traffic ambiguity is resolved at the egress NAT step, not at the routing layer. This is one of the top reasons MSPs love VDOMs — onboarding a new customer with a "default" 192.168.1.0/24 needs no renumbering.

SVG cheat-sheet — the 9 commands you'll use weekly

Print this. Tape it next to your console.

VDOM command cheat-sheet — 9 essential CLI tiles A 3 by 3 grid of nine command tiles, each showing one essential VDOM CLI command with a one-line description. Includes config vdom, edit, next, end, vdom-link, diag sys vd list, execute enter, diag sys resource vdom usage, and config system accprofile. VDOM CLI cheat-sheet · 9 commands every MSP admin runs weekly config vdom Enter VDOM-creation context (from `config global`). Required when adding a customer. edit <vdom-name> Create or enter a VDOM. Same syntax for new + existing. e.g. edit cust-a next Commit current object, stay in same context. Use between multiple VDOM edits. end Commit + exit context entirely. Closes config block. "next" = stay, "end" = leave. config system vdom-link Create inter-VDOM link pair (from `config global`). Auto-creates vlink0 + vlink1. diag sys vd list Show all VDOMs + status, mgmt VDOM, max-vdom count. First command after enabling mode. execute enter <vdom> Switch CLI prompt INTO a VDOM (from global). Prompt changes. CTRL+C to exit back to global. diag sys resource vdom usage Per-VDOM session, policy, tunnel, dial-up usage vs quota. Quota = CAP, never reserve. config system accprofile Define what a VDOM admin sees. Scope to one or many VDOMs. Where the trap from Fig.3 lives.
Figure 5. Nine commands. Memorize these and you can run any MSP FortiGate VDOM workload end-to-end. The two gradient tiles (config vdom + diag sys resource vdom usage + config system vdom-link) are the ones senior interviewers test by name.

License uplift — 10 free vs paid bump

Every FortiGate (except low-end "F" models which lock at 1) ships with 10 VDOMs included. Adding more requires a VDOM license uplift purchased from Fortinet. The license tier comes in packs (e.g. 25, 50, 100, 250, 500). Anil's FG-200F is on the base tier — sufficient for 12 customers with room. If he wins three more customers, he applies a 25-VDOM uplift before commissioning.

CVE awareness · the FortiManager ADOM lesson (CVE-2024-47575 · FortiJump)

FortiManager is the central manager for FortiGate fleets. Its equivalent of a VDOM is the ADOM (Administrative Domain) — same isolation concept, but for managed devices. In late 2024, Mandiant + Fortinet disclosed CVE-2024-47575 (FortiJump) — attackers (cluster UNC5820) abused the FortiManager device-registration interface to push rogue config from a compromised FortiManager into all managed FortiGates inside the same ADOM.

The lesson for VDOM/ADOM admins: isolation only works if administrative scoping is enforced. A single over-privileged super_admin token compromised at the FMG level can write across every ADOM. Mirror this on FortiGate: keep VDOM admins scoped, audit accprofile assignments quarterly, and never let a single SSO account hold super_admin in mgmt VDOM without MFA + dedicated jumphost.

Mode change is disruptive — Anil's change-window discipline

Three mode changes — single → multi-VDOM, single → split-task, split-task → multi-VDOM — all trigger an automatic reboot after set vdom-mode commits. Worse, config does NOT auto-migrate. A single-VDOM box switched to multi-VDOM loses all interface assignments to "root" by default, and you must manually re-home each interface, route, and policy. Anil's rule: backup config, document interface bindings, schedule a 90-minute window, never do this in business hours.

Pro tip · FortiManager ADOM mirrors VDOM

If your fleet is centrally managed by FortiManager, every VDOM you create on a FortiGate is reflected as a sub-device under the FMG ADOM. Add VDOMs at the FortiGate first, then re-sync the FMG ADOM. Mismatched VDOM lists between FortiGate and FMG = config drift = silent policy failures the next time FMG pushes a template.

I'm stuck — explain it to me · AI Tutor (Llama 3.3 70B)

Tap a question. The tutor explains in plain Hinglish with the exact CLI you'd run.

Pick a question above — the tutor responds in 5 seconds.

Runs on Cloudflare Workers AI · Llama 3.3 70B Instruct · scoped to this blog's context.

📝 Assessment · 10 scenario-based questions

Bloom mix: 1 Remember · 3 Apply · 4 Analyze · 2 Evaluate. Pass = 70% (7/10). Reasoning appears after submit.

Q1 · Remember

In FortiOS, the default management VDOM on a brand-new FortiGate that was just switched into multi-VDOM mode is named:

Correct: c — root. Every FortiGate ships with one implicit VDOM called root. When you switch to multi-VDOM mode it becomes the default management VDOM until you reassign with config system global → set management-vdom <name>. Don't confuse it with `config global` (a CLI context, not a VDOM).
Q2 · Apply

Anil — MSP architect serving 12 customer VDOMs needs to give a Customer-B retail admin (Priya) read-write access to only the cust-b VDOM, with no visibility into cust-a, cust-c, or global system settings. Which approach is correct?

Correct: b. The clean pattern is a custom accprofile scoped to the resource trees the customer admin needs (firewall, log, monitor, etc.), then bind the admin to the VDOM via set vdom. The scoped admin cannot see global or other VDOMs — that's the by-design behaviour. Option a is wrong — super_admin always sees everything. Option c bypasses local control, dangerous for emergency access.
Q3 · Apply

Anil migrates a single-VDOM FortiGate that has 30 policies and 4 interfaces onto multi-VDOM mode without prep. After the reboot, his users complain ALL internet is down. Why, and what should he have done?

Correct: c. Mode change does NOT delete config — but everything stays in root until you migrate it. New customer VDOMs are empty until you explicitly move interfaces, addresses and policies into them. Anil's users complained because while config was intact, his new customer-VDOMs hadn't been populated yet — and root's defaults didn't match the new design. Always plan the target map first, schedule the window, document each interface's destination.
Q4 · Apply

Priya wants to verify whether an inter-VDOM link cust-a-vlink between root and cust-a is taking the NPU fast-path or staying on software. Which command gives the clearest answer?

Correct: a. NPU session-stats is the canonical NPU-offload diagnostic — per-NP counters for offloaded vs software sessions. Option b only shows config, not runtime state. Option c is destructive guesswork. Option d is the IKE/IPsec debug, irrelevant here. Senior interviewers expect the NPU command by name.
Q5 · Analyze

Anil's FortiGate-200F runs 8 VDOMs at 60% CPU steady-state. He adds VDOMs 9 and 10 for two new mid-sized clients. CPU jumps to 95% within a week, but session count per VDOM is unchanged. Most likely cause?

Correct: c. VDOMs themselves are nearly free on CPU. What kills CPU is when traffic falls off the NPU fast-path — most commonly because a UTM proxy profile (SSL deep-inspection, DLP, deep AV) is attached on the inter-VDOM link or transit policy. Verify with diag npu np6 session-stats and check policy UTM toggles. Option a is wrong (linear cost-per-VDOM is a myth). The mgmt VDOM scenario in d only matters if mgmt is processing user traffic, which it usually shouldn't be.
Q6 · Analyze

A scoped VDOM admin reports "I can't see config system snmp community in my CLI, but my team-lead can. The CLI says command not found." What's happening?

Correct: b. This is the highest-frequency VDOM-admin-scope trap. Anything global (SNMP, NTP, FortiGuard, log forwarding, the management interface itself, accprofile management) requires global-tree access. Scoped admins are intentionally fenced out. Confirm by running show system accprofile <scoped-profile> — the global-tree permissions will be `none`.
Q7 · Analyze

Sneha set per-VDOM session quota = 50,000 on Customer-B. Customer-B has 60,000 concurrent sessions during evening. Customer-A and Customer-C session counts are way under quota. Yet a Customer-A user reports new TCP connections timing out. What's the likely cause?

Correct: a. The most important VDOM-quota nuance — quotas CAP, they don't RESERVE. A noisy neighbour can still exhaust the shared device-level pool until their cap kicks in. The fix is sizing — either bump the FortiGate model up, or set Customer-B's quota even lower so global usage stays well under hardware max. This is a quintessential L3 capacity-planning answer.
Q8 · Analyze

A junior admin at an Indian enterprise reports that adding a default route inside Customer-A VDOM pointing at the wan1 gateway IP "doesn't work" — pings to public IPs from cust-a users fail. wan1 is in mgmt VDOM. What's the explanation?

Correct: d. Inter-VDOM routing is local — a customer VDOM's default route must point at its own local interface (the inter-VDOM link's customer-side IP, gateway being the mgmt-side IP). Cust-a has no concept of wan1 — that interface lives in mgmt VDOM's namespace. Option b is wrong — no dynamic routing required for the static inter-VDOM hop. Option c is wrong — default routes are perfectly legal in any VDOM, they just have to make sense locally.
Q9 · Evaluate

An auditor proposes: "To save licensing cost, consolidate all 12 MSP customers into the root VDOM and separate them only by zone-based firewall policies. Drop multi-VDOM mode entirely." Is this design sound?

Correct: d. Zones are policy convenience — they do NOT create separate routing namespaces, separate ARP tables, separate session tables, or separate admin scopes. A single bad rule in flat-mode firewall can blast every tenant. MSPs run multi-VDOM specifically because their compliance contracts demand actual isolation. The auditor's proposal is a classic "save money, destroy trust" anti-pattern. Reject politely; show ROI of the VDOM uplift vs the cost of one breach incident.
Q10 · Evaluate

Two architectures for a 12-customer MSP: (A) one FortiGate-200F with multi-VDOM (12 VDOMs, all customer egress through mgmt VDOM via inter-VDOM links + NPU vlinks), or (B) twelve FortiGate-60F devices, one per customer. Both use FortiManager via ADOMs. Which is the better choice for a budget-constrained MSP with a Pune NOC team?

Correct: b. The MSP economic argument lands on Option A for any team that's already deploying HA pairs. CapEx is 1×200F-pair vs 12×60F-pair; OpEx is one FortiGuard renewal vs twelve; patching is one device-pair vs twelve. The single-failure-domain risk is fixed by HA. The FortiJump (ADOM) lesson applies equally to both deployments — central manager scope is what matters. The "physical isolation always wins" instinct from option a is real for ultra-regulated tenants (defence, banking core), but for general MSP work the operational economics favour multi-VDOM.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

Self-explanation prompt

In 2-3 sentences, explain to a hypothetical batchmate: "Why can a scoped VDOM admin not see global system settings, and is that a feature or a bug?" Writing this out cements the multi-tenancy mental model fast.

📤 Teach a friend on WhatsApp: Share

📖 Mini-glossary — terms used in this blog

VDOM
Virtual Domain — full firewall instance inside one physical FortiGate.
mgmt-VDOM
The VDOM that owns FortiGuard, NTP, SNMP and global system services.
Split-task VDOM
2-VDOM mode — root (mgmt only) + FG-traffic (data plane). Hardening pattern.
Inter-VDOM link
Virtual point-to-point cable between two VDOMs. Always created as a pair.
VDOM admin
Administrator account scoped to one or more VDOMs via accprofile.
Resource quota
Per-VDOM CAP (not reserve) on sessions, policies, addresses, tunnels.
ADOM
FortiManager's Administrative Domain — FMG-side equivalent of a VDOM.
NPU offload
NP6/NP7 chip's ability to fast-path established sessions, bypassing CPU.
Traffic VDOM
The data-plane VDOM in split-task mode (named FG-traffic by default).
accprofile
FortiOS access-profile object — defines which trees a CLI/GUI admin can see.
Where this gets asked: VDOMs are the senior-round filter at Indian enterprises, MSPs, and banking + fintech IT teams — every managed-security team relies on shared FortiGates, and "which mode, why, and how do you scope admins" is non-negotiable knowledge. The inter-VDOM-link NPU question is L3-only; the admin-scope trap is L2+.

What's next?

Blog 8 unpacks FortiGate HA — FGCP active-passive and active-active, the heartbeat link, override settings, plus the override-flap incident that takes down half a data centre.

Blog 8 · FortiGate HA (FGCP) → ← All Fortinet lessons

📚 Sources

  1. Network Interview — Virtual Domain and Administrative Domain in Fortinet. networkinterview.com/virtual-domain-and-administrative-domain
  2. Fortinet Docs — VDOM Overview (FortiOS 7.6 Administration Guide). docs.fortinet.com/document/fortigate/7.6.6/administration-guide/597696/vdom-overview
  3. NWKings — Top 20 Fortinet Firewall Interview Questions and Answers (2025). nwkings.com/fortinet-firewall-interview-questions-and-answers
  4. Tenable Blog — CVE-2024-47575 FAQ: FortiJump Zero-Day in FortiManager. tenable.com/blog/cve-2024-47575-faq-about-fortijump-zero-day-in-fortimanager-fortimanager-cloud
  5. Fortinet Community — Technical Tip: Inter-VDOM link configuration and NPU acceleration. community.fortinet.com (MSP-VDOM thread, FortiGate 7.4 / 7.6)
  6. Fortinet Training — NSE 4 Network Security Professional curriculum. training.fortinet.com (Module: VDOM)
  7. Hirist — Top 25+ Firewall Interview Questions 2026. hirist.tech/blog/top-25-firewall-interview-questions-and-answers-for-2025