I file it under "feature, not a bug" category - you are trying to delete someobject, say VDOM, which is NOT actually used anywhere, but the Fortigate throwsan error command fail. Return code -23. Fortigate keeps reference count ofall objects at all times, and if for any given object its reference count is not0, trying to delete it will cause an error. This is a safety feature to preventadmins deleting an object in use. In older Check Point versions -before R80, you could delete an object used in rules, and firewall would replaceit with Any, what a disaster. But back to Fortigates - this error may, unfortunatelyhappen when you deleted all references to the object, for reasons not under ourcontrol - be stuck in the cache, oryou deleted all references to the object in the wrong (to Fortigate) order. Thesolution is simple (CLI only). Let’s take an example of deleting a VDOM.
Delete VDOM called MyVDOM:
config vdomdel MyVDOMDomain MyVDOM: used by interface, can not deleteCommand fail. Return code -23
First, make sure the object is indeed not used:
show | grep -f MyVDOM
config vdomedit MyVDOM <---nextendconfig globalconfig sys interface edit "ssl.MyVDOM" set vdom "MyVDOM" set status down set type tunnel nextend
We can see, that only ssl.MyVDOM interface exists in this VDOM, and it is OK -this interface is auto-created by Fortigate, and will be auto-deleted by ittogether with the VDOM.
See what Fortigate thinks about references to the object in question:
diagnose sys cmdb refcnt show system.interface.name ssl.MyVDOM
diagnose sys cmdb refcnt show system.interface.name ssl.MyVDOMThe total reference number is 0
Anyway, the secret command to refresh/reset reference count. Here I run it onboth - interface, and the VDOM, just in case:
diagnose sys cmdb refcnt reset system.interface.name ssl.MyVDOM
dia sys cmdb refcnt reset system.vdom.name MyVDOM
diagnose sys cmdb refcnt reset system.interface.name ssl.MyVDOMThe total reference number is reset to 0 from 1.dia sys cmdb refcnt reset system.vdom.name MyVDOMEntry used by table system.interface.name 'ssl.MyVDOM'entry used by child table gui-dashboard:id '222'... CUT...The total reference number is reset to 14 from 20
After that, I could delete the VDOM:
config vdomdelete MyVDOMend
Resources
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what Ipublish on Linkedin, Github, blog, and more.
