Description
This article describes how to delete a VDOM that is no longer required in the configuration. This task can be accomplished using the FortiGate Web GUI or via the CLI.
Scope
FortiGate.
Solution
Before a VDOM can be deleted, any configuration references associated with the VDOM must be removed. In particular, any additional** network interfaces associated with the VDOM must be moved out of the VDOM, and this may also require an administrator to remove additional sub-dependencies that are associated with those interfaces.
For example, consider if an interface (e.g. dmz) is placed into a new VDOM, followed by the creation of a Firewall Policy and a Static route that reference the DMZ interface. To delete the VDOM, both the Firewall Policy and the Static route would have to be deleted, followed by moving the DMZ interface from the to-be-deleted VDOM to a different VDOM (such as root). Once those steps are completed, the VDOM would be eligible to be deleted.
** It is important to note that every VDOM will have a certain number of built-in references (specifically virtual network interfaces) that are created at the same time that the VDOM is created. In all FortiOS versions, this includes the following:
- ssl.<vdom> - virtual interface associated with the SSL-VPN function. Used when defining Firewall Policies for SSL-VPN users.
In FortiOS 7.0 and later, two additional virtual interfaces are built-in to each VDOM:
- naf.<vdom> - virtual interface associated with a new design for NAT46/NAT64 in FortiOS 7.0.
- l2t.<vdom> - virtual interface associated with L2TP. Part of an enhancement to L2TP over IPsec support on the FortiGate to improve performance and allow for split-tunnel support via DHCP.
Note: the built-in interfaces mentioned above cannot be individually deleted by the administrator. Instead, they are automatically created and deleted whenever a VDOM is created/deleted. Crucially, these specific interface will not block an administrator from deleting a VDOM, and so they can be ignored during configuration cleanup.
With that all in mind, the following are guides for how to check and remove references to an existing VDOM before deleting said VDOM:
Deleting a VDOM using the GUI:
Navigate to the Global VDOM, then go to System -> VDOM. If there is any non-default references to a VDOM then the 'Delete' button will be greyed out.
The number of references is visible under the 'Reference' column.
Select the number in the 'Reference' column to see the details:
In the example given above, the dmz interface needs to be removed from testvdom before the VDOM can be deleted.
In the Global VDOM, go to Network -> Interfaces, select the dmz interface, then move the interface from its current VDOM (in this case testvdom) to another VDOM such as root.
In the Global VDOM, go to Network -> Interfaces, select the dmz interface, then move the interface from its current VDOM (in this case testvdom) to another VDOM such as root.
Note: if the interface is referenced elsewhere in the VDOM (such as a static route or firewall policy in testvdom that references the dmz interface), then you will not be able to access the Virtual Domain dropdown to change the assigned VDOM. If this is the case, check the VDOM configuration and remove any references to your network interfaces, then revisit this step. You can use the 'Ref.' column in Network -> Interfaces to identify references to any given network interface.
dmz interface with no configuration references in testvdom.
Follow the above procedure and check if there is any remaining network interfaces associated with VDOM2 (not including the previously-mentioned built-in interfaces). If there are no further references then the Delete button should no longer be greyed out, and the VDOM can be deleted:
This VDOM is now successfully removed from the configuration.
Deleting a VDOM using the CLI:
Sometimes, it is possible to encounter some reference that cannot be deleted from GUI, and it can only be done from CLI. To find out what is referencing the VDOM from CLI, there are two methods:
Method #1: Find references based on assigned VDOM.
In the CLI, go to the Global VDOM and run the following commands:
FortiGate (global) # show | grep <insert VDOM name> -f
This will show all objects that directly reference the VDOM by name:
Method #2: Find sub-references using the refcnt command
In the CLI, go to either the Global VDOM or the VDOM containing a network interface, then run the following command.
FortiGate (global) # diagnose sys cmdb refcnt show <path.object.mkey> <tablename entry>
This command is very useful for locating references to an object that are not explicitly labeled as belonging to a given VDOM (e.g. static routes or firewall policies that are contained in a VDOM but not easily located otherwise). The following example shows how to use this command to find references to the dmz interface by name (in this case, a Firewall Policy and Static Route are found to be referencing the DMZ interface):
Once identified the references/objects in the configuration, proceed to delete the CLI objects identified by the above commands. After that, delete the VDOM by running the following commands
FortiGate # config vdom
FortiGate (vdom) #
FortiGate (vdom) #
FortiGate (vdom) # delete <vdom name>
If the VDOM is still referenced, then the CLI will issue you a warning and will not allow the VDOM to be deleted:
Note:
- If the VDOM is configured on the HA cluster with the vcluster option, make sure that the VDOM that has to be deleted is active on the same cluster member, where the management VDOM is.
- The 'root' VDOM cannot be deleted. This is the default VDOM where interface binding reverts to when disabling a multi-vdom environment, and it is also the default management VDOM.
Related Article:
