Technical Tip: Understanding UUID changes in FortiManager

Description

This article explains how FortiManager uses UUIDs to track managed objects and policies, and why UUID changes may appear during the first installation or synchronization with FortiGate.

Scope

FortiManager.

Solution

In FortiGate and FortiManager, a UUID is a stable, unique identifier assigned to objects and policies. Fortinet uses UUIDs to track configuration items even when details such as the name, order, or other settings change.

FortiGate automatically creates UUIDs for objects such as:

• Firewall policies.

• Addresses and address groups.

• VIPs and VIP groups.

• IPv4 and IPv6 policy-related objects.

UUID attributes are included so logs can record the UUID of the related object or policy. This allows FortiManager and FortiAnalyzer to correlate logs back to the exact configuration item.

UUIDs help with:

• Troubleshooting which exact policy generated a log.

• Correlating FortiGate logs in FortiAnalyzer or FortiManager.

• Identifying policies after they are reordered or renamed.

• Comparing FortiManager policy packages with the configuration installed on FortiGate.

• Avoiding confusion when multiple devices have similar policy IDs or object names, such as multiple devices in the same ADOM using the same policy ID.

FortiManager mainly uses UUIDs for correlation and management. They help with:

• Matching FortiGate logs to the correct policy rule.

• Searching related policy rules by UUID.

• Keeping policy and object identity consistent across installs, imports, revisions, and ADOM management.

• Helping FortiAnalyzer and FortiManager map log entries back to managed objects.

A policy ID can be reused, renumbered, or differ between devices. An object name can also be changed. A UUID is intended to identify the underlying policy or object more reliably.

It is normal for FortiManager to change UUIDs for objects and policies during the first installation, or when pushing policies for the first time. This is part of the synchronization process where FortiManager takes over management of the FortiGate.

During this process, FortiManager may update UUIDs for several reasons:

• Standardizing objects in the central database: When you first install a policy package, FortiManager may replace the object UUIDs on the FortiGate with UUIDs generated in its own database. This helps keep objects consistent across managed devices.

• Cleaning unused objects: During the initial installation, FortiManager may remove unused or unreferenced objects from the FortiGate if they are not part of the policy package being pushed. This can change the configuration mapping.

• Installing ADOM certificates: The installation process may include deploying ADOM certificates, which can cause policy or object UUIDs to be regenerated so they align with the central management structure.

• Resolving initial import differences: If imported objects do not fully match FortiManager’s database, the first installation acts as a synchronization step and updates UUIDs to resolve conflicts.

Expected behavior:

The first push after an import may show many object or policy changes because FortiManager is enforcing its own database structure. This is usually normal.

During the first install preview, changes related to set uuid can typically be ignored, as long as the objects are not being unexpectedly deleted or replaced.

After the first synchronization, UUIDs usually stabilize. The second and later installation previews should normally show only actual configuration changes made by the administrator.