Explorer

Solved

Fortimanager import limitation - routing objects

Forum|Forum|2 months ago
April 1, 2026
3 replies
446 views

Working on a FortiManager–FortiGate integration scenario and observed an interesting behavior — looking for insights from the community.

I configured the following directly on FortiGate:

Firewall policies
Address objects & groups
Static routes
Prefix lists
Route maps

Everything works perfectly on the firewall.

However, when I perform “Import Configuration” into FortiManager:

Policies, objects, and static routes are imported correctly
Prefix list and route map names appear, but their entries/content are missing

On the other hand, when I perform a “Retrieve Configuration”, I can see the full configuration including prefix list and route map entries.

So the questions:

Why does FortiManager import process not fully bring in prefix list / route map configurations?
Is this expected behavior (device-level vs policy-level separation), or a limitation/bug?
What is the recommended production approach to manage routing objects like prefix lists via FortiManager?

Would appreciate insights from anyone who has handled this in large-scale or production environments and solution for the same.

Best answer by farhanahmed

After a manual retrieve policy status showing 'unknown' is expected behavior.

You can do the install config and see what it shows in the preview - if before the retrieve the policy package was synced and there are no policy changes made locally on the FGT then the install preview will show nothing - and you can proceed with install to sync.

Raj_PandeyAuthor

Explorer

on FMG, when imported-

on firewall Screenshot 2026-04-01 180956.png

farhanahmed

Staff

Retrieve pulls full config from FGT and adds it to Device DB - > Device Manager > Select FGT > Routing Objects.
Import Config only copy polices and 'used' objects from Device DB to ADOM DB - routing is NOT managed from ADOM DB.

-> In your case I see that the prefix list and route-map are present there. Double click the objects and see, it should list the rules. If not try retrieving config again. Also its recommended that FOS version is matching the ADOM version.

https://docs.fortinet.com/document/fortimanager/7.4.5/administration-guide/645328/operations
https://community.fortinet.com/t5/FortiManager/Technical-Tip-Configuration-import-from-the-device-to-the-ADOM/ta-p/246084

Raj_PandeyAuthor

Explorer

Hi,

After importing, If you noticed in the screenshot that the prefix list and route map names created on the firewall are visible; however, their contents are missing.

For example, the Five9_prefix contains 35 IPs on the firewall, but in FortiManager (FMG), it shows 0 entries. This seems unusual.

I understand your point that the Import Config process only copies policies and “used” objects from the Device DB to the ADOM DB, and that routing is not managed from the ADOM DB. However, I’m unclear why the names of routing objects are imported while the prefix lists and route maps content are not.

Could you please confirm if the recommended approach for importing routing objects is:

Retrieve the full configuration for routing objects, and then
Import the policy package separately, then install it on the firewall?

Also, after performing a configuration retrieval, will then importing policies later overwrite any routing objects?

Could you suggest the correct sequence of steps? Currently, the customer is making changes directly on the firewall, then performing an import, followed by installation via FMG. During this process, routing objects appear to be missing.

Additionally, when we retrieve the configuration, the policy package becomes “unknown.” In this case, should the unknown package be installed?

Raj_PandeyAuthor

Explorer

Fortimanager is of v 7.4.9 and FW 7.4.5

Toshi_Esumi

SuperUser

I think you're misunderstanding what "Import Configuration" button in Device Manager screen does.
It doesn't import the config "into FortiManager". It imports all policies and objects used in those policies into "Policy Package" under Policy & Object side FROM Device DB @farhanahmed mentioned where the entire FGT config is retrieved from the FGT.
https://docs.fortinet.com/document/fortimanager/7.4.4/administration-guide/472112/import-configuration

Since none of routing objects, like prefix-list, route-map, etc. are referred from any policies, if you look at that prefix-list under CLI configuration IN Policy & Objects page, nothing should be there. When I tested, even the name of prefix-list and route-map were there.

Instead if you look at those from Device Manager side like below, you should see all of those with actual content.

Toshi

Raj_PandeyAuthor

Explorer

Hi Toshi,

Thanks for your response. I understand what an import policy package means. My question is simpler: if a customer creates prefix lists, route maps, and some policies directly on the firewall, and later wants FortiManager (FMG) and the firewall (FW) to be in sync, what should they do?

During import, only the policy and its dependent objects are brought in. So, should they first retrieve the configuration from the firewall into FMG to capture elements like prefix lists, and then import the policy package to align the policies? After that, should they install the configuration from FMG back to the firewall?

In short, what is the recommended approach?

Toshi_Esumi

SuperUser

"Auto Retrieve" should happen when something is changed at a managed FGT. If it doesn't happen because you disabled it or whatever the other reason not to happen, you can always manually "Retrieve" the entire config into Device DB at Revision History page.
It should make Config Status = Synchronized.

But, again, routing objects has nothing to do with policies. So as long as the policies are not changed, it doesn't matter if you import policies into a policy package before the prefix-list changes or after. Only Device DB changes.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded