Technical Tip: Configuration status and policy package status show as modified after importing the configuration from another firewall
| Description | This article describes how, after importing the configuration of a previously added FortiGate into FortiManager, the configuration status and policy package status may appear as modified, even though no manual changes were performed. |
| Scope | All supported versions of FortiManager. |
| Solution | Create a new unique object name or standardize object values:
Summary:
After importing the configuration of an additional FortiGate into FortiManager, the configuration status and/or policy package status may show as modified, even when no manual changes were performed. This behavior is typically caused by duplicate object names with different values between the FortiGate device database and the ADOM database.
Root cause:
FortiManager matches objects primarily by object name. If two FortiGates contain objects with the same name but different values, FortiManager detects a conflict when importing into the ADOM database. Because ADOM objects are shared across devices, any modification to an object affects all devices that reference it.
Example scenario:
Firewall 1 (Previously Managed): Firewall Custom Service Object:
This firewall was added and managed by FortiManager. The config status became synchronized.
Firewall 2 (Newly Imported): Firewall Custom Service Object:
When importing Firewall 2 into the same ADOM, FortiManager detects that the object VNC already exists. The values differ. A conflict resolution window appears.
Conflict resolution behavior:
The policy package status becomes modified. A policy package installation is required on Firewall 2. Result: Firewall 2 is synchronized to the existing ADOM object definition.
If 'FortiGate Value' is selected, the ADOM object is updated to TCP 5900–5901. The shared object value changes in the ADOM database.
Firewall 1 now has a mismatch. The configuration status of firewall 1 becomes modified. The configuration must be reinstalled to firewall 1. Result: Previously managed devices must be updated to reflect the new ADOM object value.
Solution:
Create distinct service objects for different port ranges. For example:
This prevents name-based conflicts.
Option 2: Standardize object definitions.
Before importing devices, ensure object definitions are identical across all FortiGates. Create and manage objects centrally from FortiManager and apply consistent naming conventions.
Best practice recommendations:
Avoid reusing the same object name with different values. Standardize service objects before onboarding additional devices. Review object conflicts carefully before selecting a resolution option. Understand that ADOM-level objects are shared and impact all assigned devices.
Conclusion:
When importing a FortiGate configuration into FortiManager, object conflicts occur if identical object names contain different values. Selecting either the FortiManager or FortiGate value will require installation to synchronize devices. This behavior is expected and applies to all FortiManager versions. Proper object standardization and naming conventions prevent this issue. |