FortiGate – Delete VDOMs

VDOM Removal

VDOMs are basically separate firewalls running on the same physical FortiGate appliance. The following steps will walk you through removing VDOMs from a Fortigate. This will not apply in all instances but will cover the majority of cases with additional places to look near the end. At the end of the document, there will be a script that will remove a VDOM with only minor changes needed to suit your environment.

1. Log into the firewall under a global administrator through the GUI.
2. Back up the configuration for the entire firewall and one for just the specific VDOM. This is used in case you need to restore either the entire configuration or add the VDOM back to the firewall.
3. Connect to the firewall with the global administrator through SSH.
4. Type in the following commands to configure VDOMs and edit the one that you want to delete.

   config vdom
      edit <VDOM Name>

5. From here we will run a few commands to purge the configuration. This will remove the configuration from each item. You will need to confirm each purge.

      configure firewall poliy
         purge
         y
         end
      configure firewall vip
         purge
         y
         end
      configure firewall addrgrp
         purge
         y
         end
      configure firewall address
         purge
         y
         end
      configure firewall DoS-poliy
         purge
         y
         end
      configure router static
         purge
         y
         end
      end   ## Exits the vdom

6. From here you will want to reassign the interfaces or subinterfaces back to the root VDOM and any accounts that are assigned to the VDOM. You may need to additional interface edits or accounts depending on how many are set to this VDOM.

   config global
      config system administrator
         edit <Account Name>
            set vdom root
         end
      config system interface
         edit <Interface Name>
            set vdom root
            next
         edit <Interface Name>
            set vdom root
      end
   end ## Exits global context

7. After this has been completed, you can now delete the VDOM with the following commands.

   config vdom
   delete <VDOM Name>

Additional Checks

Due to the variability of FortiGate firewalls, this will not remove every VDOM but should give you a good start on cleaning up the majority of the configuration. Check the reference column for the VDOM. This should give a good idea of what is still left on the VDOM. If not, I have commonly seen the following items remaining which can be a little tricky to remove:

1. Check for IPsec tunnels.
2. Check for SSL VPN configuration (Hint: remove interface).
3. Check for inter VDOM links.

Script

This script is not perfect and will not remove every VDOM. It includes everything covered above. Please be careful as it automatically confirms each purge. This may not be desirable in all instances but it is quick. You will just need to fill in the VDOM name, interface names and any account names.

VDOM Removal Script