VDOM Removal
VDOMs are basically separate firewalls running on the same physical FortiGate appliance. The following steps will walk you through removing VDOMs from a Fortigate. This will not apply in all instances but will cover the majority of cases with additional places to look near the end. At the end of the document, there will be a script that will remove a VDOM with only minor changes needed to suit your environment.
- Log into the firewall under a global administrator through the GUI.
- Back up the configuration for the entire firewall and one for just the specific VDOM. This is used in case you need to restore either the entire configuration or add the VDOM back to the firewall.
- Connect to the firewall with the global administrator through SSH.
- Type in the following commands to configure VDOMs and edit the one that you want to delete.
config vdom edit <VDOM Name>
- From here we will run a few commands to purge the configuration. This will remove the configuration from each item. You will need to confirm each purge.
configure firewall poliy purge y end configure firewall vip purge y end configure firewall addrgrp purge y end configure firewall address purge y end configure firewall DoS-poliy purge y end configure router static purge y end end ## Exits the vdom
- From here you will want to reassign the interfaces or subinterfaces back to the root VDOM and any accounts that are assigned to the VDOM. You may need to additional interface edits or accounts depending on how many are set to this VDOM.
config global config system administrator edit <Account Name> set vdom root end config system interface edit <Interface Name> set vdom root next edit <Interface Name> set vdom root end end ## Exits global context
- After this has been completed, you can now delete the VDOM with the following commands.
config vdom delete <VDOM Name>
Additional Checks
Due to the variability of FortiGate firewalls, this will not remove every VDOM but should give you a good start on cleaning up the majority of the configuration. Check the reference column for the VDOM. This should give a good idea of what is still left on the VDOM. If not, I have commonly seen the following items remaining which can be a little tricky to remove:
- Check for IPsec tunnels.
- Check for SSL VPN configuration (Hint: remove interface).
- Check for inter VDOM links.
Script
This script is not perfect and will not remove every VDOM. It includes everything covered above. Please be careful as it automatically confirms each purge. This may not be desirable in all instances but it is quick. You will just need to fill in the VDOM name, interface names and any account names.