Importing firewall objects from FG to FMG

Question

Hello,

I'm having the following issue while adding an FG 1000D (5.6.3) to an FMG (5.6.2): The FG is brand new with no firewall policy configured. During device add, I also imported firewall policies, in hope to import all the service and address objects of the FG into the FMG. But no object was imported. Then, while tried to install a firewall policy from FMG to FG, all the objects of the FG were overwritten by the FMG's objects and all objects which were unique in the FG, were deleted.

I have two questions:

a. Is this how FMG treats the objects from a FG?

b. What can I do if I want to preserve all the FG's objects and import them to FMG?

If I'm not mistaken, older FMG versions were giving you the choice to import these objects or not.

Thanks

Andreas

ergotherego · Answer

When doing an import, you probably want to select import all objects, not just referenced ones.

FMG will delete unused (unreferenced) objects from the FGT itself. It will keep those things in the FMG database (the ADOM database). Things like firewall addresses that aren't used in firewall policies for example.

When you assign a policy package to a firewall, that is *the* set of firewall rules and such to define on that firewall. FMG becomes the master of the configuration for a firewall it manages. So anything you want to keep on a FGT, needs to be defined on the FMG. And any changes you want to make, need to be done from FMG first.

You may want to look at running your ADOM in backup only mode. That way you can make local changes to the FGT, and it will push those changes up to FMG. In that case, FMG is basically a glorified configuration revision system. It gives you central visibility into changes, just not central management.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded