hi,
i just enabled Multi-VDOM in my FGT with HA.
i plan to create an Internet access VDOM topology per link below and created a new "Internet" VDOM.
i just followed this link/blog, but i can't seem to move my physical/logical inside LAN and physical WAN to this new "Internet" VDOM.
https://networkinterview.com/fortigate-vdom-configuration/
i just plan to leave MGMT(lan1) in root VDOM.
please advise if there's any additional step or CLI command that i need to issue/enable?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In the list of interfaces, you can enable a column "references", if you click into the header row. Or, you edit the interface and follow the "References" link on the right side.
Then, you remove all references - policies, DHCP servers, NTP servers, maybe even associated addresses.
Hi,
You might need to delete any references of the interface from root VDOM before changing it another one from Global, and also might need to remove ip config ( not sure ) .
Created on 05-14-2023 02:49 AM Edited on 05-14-2023 02:50 AM
hi,
you mean remove dependencies on these interfaces? are these FW policy? static routes?
is there a "quick" or convenient way of checking whether interfaces have any dependencies on them? i'm always caught by this dilemma :(
In the list of interfaces, you can enable a column "references", if you click into the header row. Or, you edit the interface and follow the "References" link on the right side.
Then, you remove all references - policies, DHCP servers, NTP servers, maybe even associated addresses.
hi,
i managed to move interfaces to a new VDOM. the column "Ref" was really helpful pointing out the dependencies. i just removed FW policy, static route, and IP address related to the interfaces under the root VDOM.
It might be easier if you go to CLI then just type "show | grep -f interface_name or other _object_name_to_be_moved" to find out all dependencies.
But now all interfaces should be in root vdom. So you don't have to move the wan interfaces if you make root vdom as your internet vdom as in the admin guide.
But you should prepare npu_vlink or vdom_link between root and new vdom(s) first, then change existing policies in the root vdom to use the link(s). This is also probably easier if you do with CLI.
Just make sure you have the entire config backup first before start moving/changing things around. Then you can copy&modify&paste at new vdom(s).
Toshi
PS. When you modify the config to be pasted after copied from the existing config, don't forgot to remove "snmp-index" and "uuid" lines before pasting into a new vdom. Let the 40F decide the reference number/ID when a new object is created.
Funny, just published a blog post about that - deleting undeletable objects.
Short version:
show | grep -f object_u_r_trying_to_delete
diagnose sys cmdb refcnt show path-to-the-object object-name
diagnose sys cmdb refcnt reset path-to-the-object object-name
Longer version: Fortigate cannot delete VDOM or other object in use problem
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.