VDOM exceptions
VDOM exceptions are settings that can be selected for specific VDOMs or all VDOMs that are not synchronized to other HA members. This can be required when cluster members are not in the same physical location, subnets, or availability zones in a cloud environment.
Some examples of possible use cases include:
-
You use different source IP addresses for FortiAnalyzer logging from each cluster member. See Override FortiAnalyzer and syslog server settings for more information.
-
You need to keep management interfaces that have specific VIPs or local subnets that cannot transfer from being synchronized.
-
In a unicast HA cluster in the cloud, you use NAT with different IP pools in different subnets, so IP pools must be exempt.
When a VDOM exception is configured, the object will not be synchronized between the primary and secondary devices when the HA forms. Different options can be configured for every object.
When VDOM mode is disabled, the configured object is excluded for the entire device. To define a scope, VDOM mode must be enabled and the object must be configurable in a VDOM.
VDOM exceptions are synchronized to other HA cluster members.
To configure VDOM exceptions:
config global config system vdom-exception edit 1 set object <object name> set scope {all* | inclusive | exclusive} set vdom <vdom name> next end end
object |
The name of the configuration object that can be configured independently for some or all of the VDOMs. See Objects for a list of available settings and resources. |
scope |
Determine if the specified object is configured independently for all VDOMs or a subset of VDOMs.
|
vdom |
The names of the VDOMs that are included or excluded. |
Objects
The following settings and resources can be exempt from synchronization in an HA cluster:
log.fortianalyzer.setting log.fortianalyzer.override-setting log.fortianalyzer2.setting log.fortianalyzer2.override-setting log.fortianalyzer3.setting log.fortianalyzer3.override-setting log.fortianalyzer-cloud.setting log.fortianalyzer-cloud.override-setting log.syslogd.setting log.syslogd.override-setting log.syslogd2.setting log.syslogd2.override-setting log.syslogd3.setting log.syslogd3.override-setting log.syslogd4.setting log.syslogd4.override-setting system.central-management system.csf |
user.radius system.interface* vpn.ipsec.phase1-interface* vpn.ipsec.phase2-interface* router.bgp* router.route-map* router.prefix-list* firewall.ippool* firewall.ippool6* router.static* router.static6* firewall.vip* firewall.vip6* system.sdwan* system.saml* router.policy* router.policy6* |
* This setting can only be configured on cloud VMs.