Fortinet white logo
Fortinet white logo

Administration Guide

VDOM exceptions

VDOM exceptions

VDOM exceptions are settings that can be selected for specific VDOMs or all VDOMs that are not synchronized to other HA members. This can be required when cluster members are not in the same physical location, subnets, or availability zones in a cloud environment.

Some examples of possible use cases include:

  • You use different source IP addresses for FortiAnalyzer logging from each cluster member. See Override FortiAnalyzer and syslog server settings for more information.

  • You need to keep management interfaces that have specific VIPs or local subnets that cannot transfer from being synchronized.

  • In a unicast HA cluster in the cloud, you use NAT with different IP pools in different subnets, so IP pools must be exempt.

  • In a unicast HA cluster in the cloud, when HA members have different interface IPs, the local gateway (local-gw) used to define the local end of the VPN tunnel may need to be specified individually for IPsec tunnel failover to occur.

When a VDOM exception is configured, the object will not be synchronized between the primary and secondary devices when the HA forms. Different options can be configured for every object.

When VDOM mode is disabled, the configured object is excluded for the entire device. To define a scope, VDOM mode must be enabled and the object must be configurable in a VDOM.

VDOM exceptions are synchronized to other HA cluster members.

To configure VDOM exceptions:
config global
    config system vdom-exception
        edit 1
            set object <object name>
            set scope {all* | inclusive | exclusive}
            set vdom <vdom name>
        next
    end
end

object

The name of the configuration object that can be configured independently for some or all of the VDOMs.

See Objects for a list of available settings and resources.

scope

Determine if the specified object is configured independently for all VDOMs or a subset of VDOMs.

  • all: Configure the object independently on all VDOMs.

  • inclusive: Configure the object independently only on the specified VDOMs.

  • exclusive: Configure the object independently on all of the VDOMs that are not specified.

vdom

The names of the VDOMs that are included or excluded.

Objects

The following settings and resources can be exempt from synchronization in an HA cluster:

log.fortianalyzer.setting

log.fortianalyzer.override-setting

log.fortianalyzer2.setting

log.fortianalyzer2.override-setting

log.fortianalyzer3.setting

log.fortianalyzer3.override-setting

log.fortianalyzer-cloud.setting

log.fortianalyzer-cloud.override-setting

log.syslogd.setting

log.syslogd.override-setting

log.syslogd2.setting

log.syslogd2.override-setting

log.syslogd3.setting

log.syslogd3.override-setting

log.syslogd4.setting

log.syslogd4.override-setting

system.central-management

system.csf

user.radius

system.interface*

vpn.ipsec.phase1-interface*

vpn.ipsec.phase2-interface*

router.bgp*

router.route-map*

router.prefix-list*

firewall.ippool*

firewall.ippool6*

router.static*

router.static6*

firewall.vip*

firewall.vip6*

system.sdwan*

system.saml*

router.policy*

router.policy6*

* This setting can only be configured on cloud VMs.

VDOM exceptions

VDOM exceptions

VDOM exceptions are settings that can be selected for specific VDOMs or all VDOMs that are not synchronized to other HA members. This can be required when cluster members are not in the same physical location, subnets, or availability zones in a cloud environment.

Some examples of possible use cases include:

  • You use different source IP addresses for FortiAnalyzer logging from each cluster member. See Override FortiAnalyzer and syslog server settings for more information.

  • You need to keep management interfaces that have specific VIPs or local subnets that cannot transfer from being synchronized.

  • In a unicast HA cluster in the cloud, you use NAT with different IP pools in different subnets, so IP pools must be exempt.

  • In a unicast HA cluster in the cloud, when HA members have different interface IPs, the local gateway (local-gw) used to define the local end of the VPN tunnel may need to be specified individually for IPsec tunnel failover to occur.

When a VDOM exception is configured, the object will not be synchronized between the primary and secondary devices when the HA forms. Different options can be configured for every object.

When VDOM mode is disabled, the configured object is excluded for the entire device. To define a scope, VDOM mode must be enabled and the object must be configurable in a VDOM.

VDOM exceptions are synchronized to other HA cluster members.

To configure VDOM exceptions:
config global
    config system vdom-exception
        edit 1
            set object <object name>
            set scope {all* | inclusive | exclusive}
            set vdom <vdom name>
        next
    end
end

object

The name of the configuration object that can be configured independently for some or all of the VDOMs.

See Objects for a list of available settings and resources.

scope

Determine if the specified object is configured independently for all VDOMs or a subset of VDOMs.

  • all: Configure the object independently on all VDOMs.

  • inclusive: Configure the object independently only on the specified VDOMs.

  • exclusive: Configure the object independently on all of the VDOMs that are not specified.

vdom

The names of the VDOMs that are included or excluded.

Objects

The following settings and resources can be exempt from synchronization in an HA cluster:

log.fortianalyzer.setting

log.fortianalyzer.override-setting

log.fortianalyzer2.setting

log.fortianalyzer2.override-setting

log.fortianalyzer3.setting

log.fortianalyzer3.override-setting

log.fortianalyzer-cloud.setting

log.fortianalyzer-cloud.override-setting

log.syslogd.setting

log.syslogd.override-setting

log.syslogd2.setting

log.syslogd2.override-setting

log.syslogd3.setting

log.syslogd3.override-setting

log.syslogd4.setting

log.syslogd4.override-setting

system.central-management

system.csf

user.radius

system.interface*

vpn.ipsec.phase1-interface*

vpn.ipsec.phase2-interface*

router.bgp*

router.route-map*

router.prefix-list*

firewall.ippool*

firewall.ippool6*

router.static*

router.static6*

firewall.vip*

firewall.vip6*

system.sdwan*

system.saml*

router.policy*

router.policy6*

* This setting can only be configured on cloud VMs.