2.1 Operation Modes & VDOMs

Why Operation Modes Matter on the NSE 4 Exam

The Deployment and System Configuration domain is roughly 20% of the NSE 4 exam, and operation modes sit at the heart of it. Before you can write a single firewall policy, you must know how the FortiGate inserts itself into the network. FortiOS 7.6 lets you pick the inspection mode per interface, and that decision drives addressing, routing, and how invasive the deployment is.

NAT Mode vs Transparent Mode

In NAT mode (Network Address Translation mode), the FortiGate behaves as a Layer 3 router. Each interface is assigned its own IP address and the device routes packets between subnets, applies firewall policies, and can perform source and destination NAT. NAT mode is the default and is used in the vast majority of deployments because it gives the FortiGate full routing, NAT, VPN termination, and DHCP capabilities.

In Transparent mode, the FortiGate behaves as a Layer 2 bridge — a "bump in the wire." Interfaces do not have routable IP addresses; instead, traffic is forwarded based on MAC addresses, and the whole device shares a single management IP address used only for administration. Because the FortiGate is invisible at Layer 3, you can drop it into an existing network to add inspection (antivirus, IPS, web filtering) without re-addressing hosts or changing default gateways.

Comparison Table

When to Use Each Mode

• Choose NAT mode for a new network edge, when you need NAT, VPN, DHCP, or routing, or when the FortiGate is the default gateway for hosts.
• Choose Transparent mode when you must insert security inspection into an existing segment without changing the IP plan, default gateways, or routing topology.

In FortiOS 7.6 the inspection mode is configured per VDOM/interface, so a single appliance can mix Layer 3 and Layer 2 segments.

Virtual Domains (VDOMs)

A Virtual Domain (VDOM) lets you split one physical FortiGate into multiple independent virtual firewalls. Each VDOM has its own firewall policies, routing table, security profiles, address objects, and administrator accounts. VDOMs are commonly used by managed service providers to isolate customers, and by enterprises to separate departments or security zones on a single appliance.

VDOM Modes

FortiGate supports two VDOM operating modes:

• Split-task VDOM mode — A simplified mode that creates exactly two VDOMs: a traffic VDOM (named root) that inspects and forwards user traffic, and a management VDOM (named mgmt-vdom/vdom-mgmt) dedicated to administrative access and FortiGate-originated traffic. It isolates management from data plane traffic without the full complexity of multiple customer VDOMs.
• Multi-VDOM mode — Creates fully independent virtual firewalls. You can add multiple VDOMs, each acting as a separate logical FortiGate with its own policies and routing. This is the mode used for true multi-tenancy.

When VDOMs are first enabled, a VDOM named root is created automatically and cannot be deleted. The root VDOM is the default VDOM.

The Management VDOM

The management VDOM is the VDOM through which the FortiGate sends its own self-originated traffic — FortiGuard rating and update queries, DNS lookups, NTP time synchronization, SNMP, and log traffic to FortiAnalyzer or syslog. Only one VDOM is designated as the management VDOM at a time. By default it is root. If the management VDOM loses its route to the internet, FortiGuard updates and time sync fail even if other VDOMs have working internet access — a common troubleshooting trap.

Global vs VDOM Configuration

With VDOMs enabled, the CLI is divided into two scopes:

• config global — Settings that apply to the entire physical device: administrator accounts, interface hardware, HA configuration, firmware, and which VDOM is the management VDOM.
• config vdom then edit <vdom-name> — Settings specific to one VDOM: firewall policies, routing, security profiles, and address objects.

Inter-VDOM Links

By default, VDOMs are isolated and traffic cannot pass between them. An inter-VDOM link is a virtual interface pair that connects two VDOMs internally, allowing traffic to be routed and inspected between them without leaving the FortiGate through a physical port. Because the link is internal, it is fast and does not consume physical interfaces or external cabling. Firewall policies are still required on both VDOMs to permit the traffic — the link only provides the path, not the permission.