Skip to main content
sreddi
Staff
sreddi
Staff
April 26, 2016

Technical Tip: How to delete a VDOM using the GUI and CLI

  • April 26, 2016
  • 0 replies
  • 68680 views

Description

 
This article describes how to delete a VDOM that is no longer required in the configuration. This task can be accomplished using the FortiGate Web GUI or via the CLI.
 

Scope

 

FortiGate.

 

Solution

 
Before a VDOM can be deleted, any configuration references associated with the VDOM must be removed. In particular, any additional** network interfaces associated with the VDOM must be moved out of the VDOM, and this may also require an administrator to remove additional sub-dependencies that are associated with those interfaces.
 
For example, consider if an interface (e.g., DMZ) is placed into a new VDOM, followed by the creation of a Firewall Policy and a Static route that references the DMZ interface. To delete the VDOM, both the Firewall Policy and the Static route would have to be deleted, followed by moving the DMZ interface from the to-be-deleted VDOM to a different VDOM (such as root). Once those steps are completed, the VDOM would be eligible to be deleted.
 
It is important to note that every VDOM will have a certain number of built-in references (specifically virtual network interfaces) that are created at the same time that the VDOM is created. In all FortiOS versions, this includes the following:

ssl.<vdom>: virtual interface associated with the SSL VPN function. Used when defining Firewall Policies for SSL VPN users.

 

In FortiOS v7.0 and later, two additional virtual interfaces are built into each VDOM:

 

Note: the built-in interfaces mentioned above cannot be individually deleted by the administrator. Instead, they are automatically created and deleted whenever a VDOM is created/deleted. Crucially, these specific interfaces will not block an administrator from deleting a VDOM, and so they can be ignored during configuration cleanup.

 
With that all in mind, the following are guides for how to check and remove references to an existing VDOM before deleting said VDOM:
 
Deleting a VDOM using the GUI:
Navigate to the Global VDOM, then go to System -> VDOM. If there are any non-default references to a VDOM, then the 'Delete' button will be greyed out.
The number of references is visible under the 'Reference' column.
 
System_VDOM_DeleteGreyedOut.png

 

Select the number in the 'Reference' column to see the details:
 
System_VDOM_References.png

 

In the example given above, the DMZ interface needs to be removed from testvdom before the VDOM can be deleted.

In the Global VDOM, go to Network -> Interfaces, select the DMZ interface, then move the interface from its current VDOM (in this case, testvdom) to another VDOM, such as root.
 
Note: If the interface is referenced elsewhere in the VDOM (such as a static route or firewall policy in testvdom that references the DMZ interface), then it will not be possible to access the Virtual Domain dropdown to change the assigned VDOM. If this is the case, check the VDOM configuration and remove any references to the network interfaces, then revisit this step. It is possible to use the 'Ref.' column in Network -> Interfaces to identify references to any given network interface.
 
dmz interface with no configuration references in testvdom.dmz interface with no configuration references in testvdom.

 

dmz interface with existing references in testvdom. Note that the Virtual Domain dropdown is no longer accessible.dmz interface with existing references in testvdom. Note that the Virtual Domain dropdown is no longer accessible.

 

Follow the above procedure and check if there are any remaining network interfaces associated with VDOM2 (not including the previously-mentioned built-in interfaces). If there are no further references, then the Delete button should no longer be greyed out, and the VDOM can be deleted:
 
System_VDOM_References_ClearedDMZ.png

 

Note: Sometimes it is not possible to remove the VDOM from the GUI after removing the DMZ interface. In this example can see that a VDOM is still under configuration under the config system admin:

 

config system admin

    edit "admin"

        set vdom "root" "testvdom"  <---

        set accprofile "super_admin"

        set ssh-public-key1 "XXXXXXXXXXXXXXX"

            config gui-dashboard

                edit 1

                    set name "Status"

                    set vdom "testvdom"  <---

             

Below is how to remove VDOM testvdom under config system admin:

 

            config system admin
                edit admin
                    set vdom root
            end

    next

        config gui-dashboard
        delete 1

        end

end

 

This VDOM is now successfully removed from the configuration.

 

Deleting a VDOM using the CLI:
Sometimes, it is possible to encounter a reference that cannot be deleted from the GUI, and it can only be done from the CLI. To find out what is referencing the VDOM from CLI, there are two methods:
 
Method 1: Find references based on the assigned VDOM.
 
In the CLI, go to the Global VDOM and run the following commands:
 
FortiGate (global) # show | grep <insert VDOM name> -f
 
This will show all objects that directly reference the VDOM by name:

 CLI_GrepVDOM.png

 

Method 2: Find sub-references using the refcnt command.
In the CLI, go to either the Global VDOM or the VDOM containing a network interface, then run the following command.
 
FortiGate (global) # diagnose sys cmdb refcnt show <path.object.mkey> <tablename entry>
 
This command is very useful for locating references to an object that are not explicitly labeled as belonging to a given VDOM (e.g., static routes or firewall policies that are contained in a VDOM but not easily located otherwise). The following example shows how to use this command to find references to the DMZ interface by name (in this case, a Firewall Policy and Static Route are found to be referencing the DMZ interface):
 
CLI_refcnt.png
 
Once the references/objects in the configuration are identified, proceed to delete the CLI objects identified by the above commands. After that, delete the VDOM by running the following commands:
 
FortiGate # config vdom
FortiGate (vdom) #
FortiGate (vdom) # delete <vdom name>
 
If the VDOM is still referenced, then the CLI will issue a warning and will not allow the VDOM to be deleted:

CLI_CannotDelete.png
Also, if deleting VDOM is not yet possible, it is necessary to run the following command (being in the global environment) to identify the remanent configuration (for this example, the VDOM name is also 'testvdom'):


(global) # diagnose sys cmdb refcnt show system.vdom.name testvdom

entry used by table system.interface:name 'l2t.testvdom' (From 'global')
entry used by table system.interface:name 'naf.testvdom' (From 'global')
entry used by table system.interface:name 'ssl.testvdom' (From 'global')
entry used in table system.interface:name 'npu0_vlink1.testvdom' (From 'global')
entry used by child table vdom:name 'testvdom' of table system.admin:name 'admin' (From 'global')
entry used by table system.vdom-property:name 'testvdom' (From 'global')

 

Then, it is necessary to check the following article to complete the VDOM erasing:
Troubleshooting Tip: Unable to delete a VDOM 

Notes:
  • If the VDOM is configured on the HA cluster with the vcluster option, make sure that the VDOM that has to be deleted is active on the same cluster member where the management VDOM is.
  • The 'root' VDOM cannot be deleted. This is the default VDOM where interface binding reverts to when disabling a multi-VDOM environment, and it is also the default management VDOM.

 

Related article:

Troubleshooting Tip: Verifying FortiGate configuration objects references and dependencies with the CLI command 'diagnose system checkused'

    Terms & ConditionsAccessibility statement