Skip to main content
rezendecs
rezendecs
New Member
February 3, 2016
Question

Disable Dynamic mapping

  • February 3, 2016
  • 2 replies
  • 6958 views

Hi All,

 

   Is possible to disable the dynamic mapping object feature on Fortimanager?

   I have a customer that often change object configuration directly on Fortigate and after "import policy" in Fortimager and then "re-install pollicy". 

   The problem is that after "import policy" it change the type of object from "address" to "dynamic address" and just that Fortigate that was changed is actualized on Fortimager.

   

Regards,

Claudio Rezende

   

2 replies

mscheiber
mscheiber
New Member
June 10, 2020

Would like to have an answer here too.

 

regards

chall_FTNT
Staff
chall_FTNT
Staff
June 12, 2020

mscheiber & rezendecs

 

Regarding the import behavior, why do you (or your customer) not want FortiManager to learn about the value of that object as learned from the FortiGate?  Are you looking to "enforce" a certain value across all FortiGates?  And is it only a for a specific object that you want to disallow the use of dynamic mapping?

 

I ask these questions to understand the context.  Dynamic mapping is a pretty fundamental and important port of FortiManager acting as a central management tool.  The default import behavior helps make the onboarding of a new FoirtiGate (FGT) much more straight-forward & helps ensure there is not disruption to the FGT in the process.

sgeus
sgeus
New Member
March 31, 2023

I'm having the same/similar issue. 

 

When importing a 'new' FortiGate in the ADOM, in our case they come from another ADOM, some address groups are 'smaller' on the imported FortiGate. This then creates automatically a "Per-Device Mapping" for that group.

For us this is undesired as this means that a 'block group' is missing subnets and the 'Domain Controllers group' is missing the new Domain Controllers.

We found this on the domain controllers group as errors were reported by the AD team.

 

We need the option to disable the auto-creation of "Per-Device Mapping" during the import. Additionally we need to filter lists to show all objects that have a "Per-Device Mapping".

Big-D
Big-D
New Member
March 21, 2026

After a long discussion with Fortinet, it turns out this feature is currently still not working as expected.

 

As the topic starter has pointed out, importing devices and selecting "Use Value From FortiManager", will select the value from the FortiManager, however a dynamic per device mapping will be created, overwriting what is set in the FortiManager by the value of the FortiGate.

 

After 10 years, there is still no fix for this. This complicates life when staging devices and doing migrations between different models, seeing as a policy likely changes between staging & production. Often these are non-greenfield deployments, where blueprints cannot be used.

 

Even though there is still no fix for this, we have found the workaround below, suitable for our environment. This will create a script which "migrates" all required interface & META-field mappings from the old device to the new, yet it will not create dynamic mappings for other policy-related objects. Perhaps this can be helpful for others in similar situations:

 

Run "diagnose dvm device dynobj <Device Name>" on FortiManager & save as FortiManager "Policy Package or ADOM Database"-script
Rename existing device to <Device Name>-old
Import New device & link provisioning templates & policy during import
Run "Policy Package or ADOM Database"-script via FortiManager for <Device Name> on any Policy Package

Push policy & device settings

 

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
March 21, 2026

It would be helpful if you can tell what version of FMG you are talking about when someone finds this thread in 5 years and wondering.

Toshi

Big-D
Big-D
New Member
March 23, 2026

All, including FMG 8.0.0 which Fortinet used for testing.

Terms & ConditionsAccessibility statement