Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor

Unable to move Physical and Logical Interfaces to a New VDOM

hi,

i just enabled Multi-VDOM in my FGT with HA.

i plan to create an Internet access VDOM topology per link below and created a new "Internet" VDOM.

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/597696/vdom-overview#Topolog...

 

i just followed this link/blog, but i can't seem to move my physical/logical inside LAN and physical WAN to this new "Internet" VDOM.

https://networkinterview.com/fortigate-vdom-configuration/

 

i just plan to leave MGMT(lan1) in root VDOM.

please advise if there's any additional step or CLI command that i need to issue/enable?

global-vdom.jpgadd-inside-lan-new-vdom.jpgadd-outside-wan-new-vdom.jpg

 

 

Thanks,
John
Thanks,John
1 Solution
ede_pfau
Esteemed Contributor III

In the list of interfaces, you can enable a column "references", if you click into the header row. Or, you edit the interface and follow the "References" link on the right side.

Then, you remove all references - policies, DHCP servers, NTP servers, maybe even associated addresses.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
6 REPLIES 6
funkylicious
Contributor III

Hi,
You might need to delete any references of the interface from root VDOM before changing it another one from Global, and also might need to remove ip config ( not sure ) .

geek
geek
johnlloyd_13

hi,

you mean remove dependencies on these interfaces? are these FW policy? static routes?

is there a "quick" or convenient way of checking whether interfaces have any dependencies on them? i'm always caught by this dilemma :(

Thanks,
John
Thanks,John
ede_pfau
Esteemed Contributor III

In the list of interfaces, you can enable a column "references", if you click into the header row. Or, you edit the interface and follow the "References" link on the right side.

Then, you remove all references - policies, DHCP servers, NTP servers, maybe even associated addresses.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
johnlloyd_13

hi,

i managed to move interfaces to a new VDOM. the column "Ref" was really helpful pointing out the dependencies. i just removed FW policy, static route, and IP address related to the interfaces under the root VDOM.

Thanks,
John
Thanks,John
Toshi_Esumi
Esteemed Contributor III

It might be easier if you go to CLI then just type "show | grep -f interface_name or other _object_name_to_be_moved" to find out all dependencies.
But now all interfaces should be in root vdom. So you don't have to move the wan interfaces if you make root vdom as your internet vdom as in the admin guide. 

 

But you should prepare npu_vlink or vdom_link between root and new vdom(s) first, then change existing policies in the root vdom to use the link(s). This is also probably easier if you do with CLI.

Just make sure you have the entire config backup first before start moving/changing things around. Then you can copy&modify&paste at new vdom(s).

 

Toshi

PS. When you modify the config to be pasted after copied from the existing config, don't forgot to remove "snmp-index" and "uuid" lines before pasting into a new vdom. Let the 40F decide the reference number/ID when a new object is created.

Yurisk
Valued Contributor

Funny, just published a blog post about that - deleting undeletable objects. 

Short version: 

show | grep -f object_u_r_trying_to_delete

diagnose sys cmdb refcnt show path-to-the-object  object-name

diagnose sys cmdb refcnt reset path-to-the-object  object-name

 

Longer version: Fortigate cannot delete VDOM or other object in use problem 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors