FortiGate – Delete VDOMs

VDOM Removal

VDOMs are basically separate firewalls running on the same physical FortiGate appliance. The following steps will walk you through removing VDOMs from a Fortigate. This will not apply in all instances but will cover the majority of cases with additional places to look near the end. At the end of the document, there will be a script that will remove a VDOM with only minor changes needed to suit your environment.

  1. Log into the firewall under a global administrator through the GUI.
  2. Back up the configuration for the entire firewall and one for just the specific VDOM. This is used in case you need to restore either the entire configuration or add the VDOM back to the firewall.
  3. Connect to the firewall with the global administrator through SSH.
  4. Type in the following commands to configure VDOMs and edit the one that you want to delete.
    config vdom
       edit <VDOM Name>
  5. From here we will run a few commands to purge the configuration. This will remove the configuration from each item. You will need to confirm each purge.
       configure firewall poliy
          purge
          y
          end
       configure firewall vip
          purge
          y
          end
       configure firewall addrgrp
          purge
          y
          end
       configure firewall address
          purge
          y
          end
       configure firewall DoS-poliy
          purge
          y
          end
       configure router static
          purge
          y
          end
       end   ## Exits the vdom
  6. From here you will want to reassign the interfaces or subinterfaces back to the root VDOM and any accounts that are assigned to the VDOM. You may need to additional interface edits or accounts depending on how many are set to this VDOM.
    config global
       config system administrator
          edit <Account Name>
             set vdom root
          end
       config system interface
          edit <Interface Name>
             set vdom root
             next
          edit <Interface Name>
             set vdom root
       end
    end ## Exits global context
  7. After this has been completed, you can now delete the VDOM with the following commands.
    config vdom
    delete <VDOM Name>

Additional Checks

Due to the variability of FortiGate firewalls, this will not remove every VDOM but should give you a good start on cleaning up the majority of the configuration. Check the reference column for the VDOM. This should give a good idea of what is still left on the VDOM. If not, I have commonly seen the following items remaining which can be a little tricky to remove:

  1. Check for IPsec tunnels.
  2. Check for SSL VPN configuration (Hint: remove interface).
  3. Check for inter VDOM links.

Script

This script is not perfect and will not remove every VDOM. It includes everything covered above. Please be careful as it automatically confirms each purge. This may not be desirable in all instances but it is quick. You will just need to fill in the VDOM name, interface names and any account names.

VDOM Removal Script