Description
This article describes how to delete a VDOM that is no longer required in the configuration. This task can be accomplished using the FortiGate Web GUI or via the CLI.
Scope
FortiGate.
Solution
Before a VDOM can be deleted, any configuration references associated with the VDOM must be removed. In particular, any additional** network interfaces associated with the VDOM must be moved out of the VDOM, and this may also require an administrator to remove additional sub-dependencies that are associated with those interfaces.
For example, consider if an interface (e.g., DMZ) is placed into a new VDOM, followed by the creation of a Firewall Policy and a Static route that references the DMZ interface. To delete the VDOM, both the Firewall Policy and the Static route would have to be deleted, followed by moving the DMZ interface from the to-be-deleted VDOM to a different VDOM (such as root). Once those steps are completed, the VDOM would be eligible to be deleted.
** It is important to note that every VDOM will have a certain number of built-in references (specifically virtual network interfaces) that are created at the same time that the VDOM is created. In all FortiOS versions, this includes the following:
ssl.<vdom>: virtual interface associated with the SSL VPN function. Used when defining Firewall Policies for SSL VPN users.
In FortiOS v7.0 and later, two additional virtual interfaces are built into each VDOM:
- naf.<vdom>: virtual interface associated with a new design for NAT46/NAT64 in FortiOS v7.0.
See this document: Simplify NAT46 and NAT64 policy and routing configurations 7.0.1. - l2t.<vdom>: virtual interface associated with L2TP. Part of an enhancement to L2TP over IPsec support on the FortiGate to improve performance and allow for split-tunnel support via DHCP.
See this article: Technical Tip: Manual upgradation of L2TP over IPsec configuration after upgrading from 6.4.x or 7.0....
Note: the built-in interfaces mentioned above cannot be individually deleted by the administrator. Instead, they are automatically created and deleted whenever a VDOM is created/deleted. Crucially, these specific interfaces will not block an administrator from deleting a VDOM, and so they can be ignored during configuration cleanup.
With that all in mind, the following are guides for how to check and remove references to an existing VDOM before deleting said VDOM:
Deleting a VDOM using the GUI:
Navigate to the Global VDOM, then go to System -> VDOM. If there are any non-default references to a VDOM, then the 'Delete' button will be greyed out.
The number of references is visible under the 'Reference' column.
The number of references is visible under the 'Reference' column.
Select the number in the 'Reference' column to see the details:
In the example given above, the DMZ interface needs to be removed from testvdom before the VDOM can be deleted.
In the Global VDOM, go to Network -> Interfaces, select the DMZ interface, then move the interface from its current VDOM (in this case, testvdom) to another VDOM, such as root.
In the Global VDOM, go to Network -> Interfaces, select the DMZ interface, then move the interface from its current VDOM (in this case, testvdom) to another VDOM, such as root.
Note: if the interface is referenced elsewhere in the VDOM (such as a static route or firewall policy in testvdom that references the DMZ interface), then it will not be possible to access the Virtual Domain dropdown to change the assigned VDOM. If this is the case, check the VDOM configuration and remove any references to the network interfaces, then revisit this step. It is possible to use the 'Ref.' column in Network -> Interfaces to identify references to any given network interface.
dmz interface with no configuration references in testvdom.
Follow the above procedure and check if there are any remaining network interfaces associated with VDOM2 (not including the previously-mentioned built-in interfaces). If there are no further references, then the Delete button should no longer be greyed out, and the VDOM can be deleted:
Note: Sometimes it is not possible to remove the VDOM from the GUI after removing the DMZ interface. In this example can see that a VDOM is still under configuration under the config system admin:
config system admin
edit "admin"
set vdom "root" "testvdom" <---
set accprofile "super_admin"
set ssh-public-key1 "XXXXXXXXXXXXXXX"
config gui-dashboard
edit 1
set name "Status"
set vdom "testvdom" <---
Below is how to remove VDOM testvdom under config system admin:
config system admin
edit admin
set vdom root
end
next
config gui-dashboard
delete 1
end
end
This VDOM is now successfully removed from the configuration.
Deleting a VDOM using the CLI:
Sometimes, it is possible to encounter a reference that cannot be deleted from the GUI, and it can only be done from the CLI. To find out what is referencing the VDOM from CLI, there are two methods:
Method 1: Find references based on the assigned VDOM.
In the CLI, go to the Global VDOM and run the following commands:
FortiGate (global) # show | grep <insert VDOM name> -f
This will show all objects that directly reference the VDOM by name:
Method 2: Find sub-references using the refcnt command.
In the CLI, go to either the Global VDOM or the VDOM containing a network interface, then run the following command.
FortiGate (global) # diagnose sys cmdb refcnt show <path.object.mkey> <tablename entry>
This command is very useful for locating references to an object that are not explicitly labeled as belonging to a given VDOM (e.g., static routes or firewall policies that are contained in a VDOM but not easily located otherwise). The following example shows how to use this command to find references to the DMZ interface by name (in this case, a Firewall Policy and Static Route are found to be referencing the DMZ interface):
Once the references/objects in the configuration are identified, proceed to delete the CLI objects identified by the above commands. After that, delete the VDOM by running the following commands:
FortiGate # config vdom
FortiGate (vdom) #
FortiGate (vdom) #
FortiGate (vdom) # delete <vdom name>
If the VDOM is still referenced, then the CLI will issue a warning and will not allow the VDOM to be deleted:
Notes:
- If the VDOM is configured on the HA cluster with the vcluster option, make sure that the VDOM that has to be deleted is active on the same cluster member where the management VDOM is.
- The 'root' VDOM cannot be deleted. This is the default VDOM where interface binding reverts to when disabling a multi-VDOM environment, and it is also the default management VDOM.
Related article:
