Technical Tip: Excluded settings from auto-sync with FortiManager through remote FortiGate directly (via CLI) script

When managing FortiGate devices through FortiManager, certain configuration changes made directly on the FortiGate might not show up in FortiManager.

If a change is made through a FortiManager remote FortiGate directly (via CLI script), the change is applied locally with a synchronized device config status, and a new revision with an automatically updated installation status.

However, in some cases, the script behaves differently:

• The change is applied on the FortiGate.
• The device status shows as Synchronized.
• No new revision is created.
• The FortiManager device database is not updated.

Why this happens:

According to FortiOS design, some FortiGate configuration objects are flagged to be excluded from automatic syncing with FortiManager.

When FortiGate and FortiManager synchronize configurations, FortiOS calculates a checksum to determine if the configuration has changed.

There are some exemptions, and these objects are skipped in this calculation. When such an object is modified directly on the FortiGate:

• The change applies immediately on FortiGate.
• The sync checksum remains unchanged.
• FortiManager does not see the change -> no revision is created -> no auto-update occurs.

Note:

These objects are mostly related to the central-management settings through the direct CLI.

Example debug log – checksum changes after script execution:

In this case, after running the script, the change is applied normally, the checksum is calculated and exchanged, and because the old and new checksums are different: an auto-update is triggered and the configuration is retrieved by FortiManager automatically.

__install_chan_connected,735: downloading script.

__install_chan_read,652: script running begain.

start_exchange_file,948: get_config ifclient=1

Destroy file exchange service

FGFMs: Destroy stream_svr_obj

FGFMs: Destroy stream_svr_obj

FGFMs: Destroy chan local=1764, remote=583, in=382512, ack=382512, out=0,acked=0,inbuff=-1.

FGFMs(FGVM01TM21000085-167-10.9.11.210): server:

keepalive

checksum=7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f

fgfm_keepalive_handler: old chksum: 32 ed 66 12 21 ed b1 b6 54 bf b2 b6 0a 83 d7 65, auto_retrieve_pending = 0.

fgfm_keepalive_handler: new chksum: 7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f

Config out-of-sync, new_chksum=7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f, my_chksum=32 ed 66 12 21 ed b1 b6 54 bf b2 b6 0a 83 d7 65!

Request [/bin/fgfmsd:2570:169]:

{ "client": "\/bin\/fgfmsd:2570", "id": 169, "method": "exec", "params": [{ "data": { "device": 167, "flags": 0, "need-token": 1, "usr": "AutoUpdate"}, "url": "sync\/config-ext2"}], "root": "deployment"}

Example debug log – no checksum change (no revision created in FortiManager):

In some specific cases (often related to FortiManager connection/configuration changes), the checksum does not change after the script execution. This results in no revision on FortiManager, and the change exists only locally on the FortiGate:

__install_chan_connected,735: downloading script.

__install_chan_read,652: script running begain.

fgfm_chan.c,627: peer close channel: local=1802, remote=621, body_len=0

__install_session_destroy,807: destroy install session state=4.

__install_session_destroy,close log_fp 0x55e1f9e1f210, fd=4.

FGFMs: Destroy chan local=1802, remote=621, in=379, ack=379, out=0,acked=0,inbuff=-1.

FGFMs(FGVM01TM21000085-167-10.9.11.210): server:

keepalive

checksum=7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f

fgfm_keepalive_handler: old chksum: 7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f, auto_retrieve_pending = 0.

fgfm_keepalive_handler: new chksum: 7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f

Set dvm conf status to IN_SYNC.

Recommendation:

When applying configuration directly through remote FortiGate scripts, verify the configuration revision and ensure FortiManager–FortiGate synchronization afterward.