FortiGate Out of Sync after device updates CRL

Forum|Forum|7 years ago
January 19, 2019
1 reply
6440 views

I've configured a pair of FortiGate 81E firewalls into a HA cluster, and I use them to terminate a set of auto-detect IPSEC tunnels. To improve security, I use PKI to authenticate the tunnels, and I have configured the firewalls to download CRL updates using HTTP. The firewalls currently run FortiOS 5.6.5, and FortiManager is 6.0.2.

Unfortunately, when the firewalls update the CRL, it causes them to register as Out of Sync in FortiManager.

Is there a way to prevent this?

Thank you.

Fortimanager

teddyko_FTNT

Staff

Is your Config Status or Policy Package Status going to "Out of Sync"?

Changes to the CRL should only affect Config Status. One possibility for Out of Sync status is your auto-update setting may be disabled. You can validate this by running the following CLI:

get system admin setting

malachykiddAuthor

New Member

teddyko wrote:
Is your Config Status or Policy Package Status going to "Out of Sync"?

Config Status.

teddyko wrote:
Changes to the CRL should only affect Config Status. One possibility for Out of Sync status is your auto-update setting may be disabled. You can validate this by running the following CLI:

get system admin setting

Auto-update is disabled.

I assume, then, that there is no mechanism within FortiManager to ignore or auto-update only the CRLs; that the solution is to enable auto-update for all devices. That's fine, as I am the only person who manages the firewalls, though ideally there would be a way to ignore automatic, self-changing bits of configuration like that.

Thank you.

malachykiddAuthor

New Member

Well... I enabled auto-update, and FortiManager auto-updated the config, but then it set the root policy package status to Out of Sync, though there are no changes applied if I (re)install the policy package. Not ideal.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded