Skip to main content
craigmmorq4
craigmmorq4
Explorer
February 11, 2026
Solved

Policy & Packages > USER & AUTHENTICATION

  • February 11, 2026
  • 3 replies
  • 270 views

Hello All

We have a new deployment and have created TACACS+ servers and Group 

 

When I try and push, it doesnt say theres a change pending, doesnt even detect a change.  The TACACS are referenced to a group and an account too that Ive created.

 

Is there a way to force these changes to be deployed?

 

Screenshot 2026-02-11 165834.png

Screenshot 2026-02-11 165834.png

Best answer by farhanahmed

FMG by default does not push 'unused' objects to the devices :)


So, either use it in a policy or try the other method to create a system admin - if the user is going to login to FGT using TACACS+ credentials.

3 replies

funkylicious
SuperUser
funkylicious
SuperUser
February 11, 2026

i asume that no changes are detected in the policy package?

have you tried device only to install instead ?

"jack of all trades, master of none"
craigmmorq4
craigmmorq4Author
Explorer
February 11, 2026

Yes and doesnt push either.

funkylicious
SuperUser
funkylicious
SuperUser
February 11, 2026

ok. try this instead. click on the FGT > CLI Configuration > user > tacacs+, add them and the install DB at the end.

 

Screenshot 2026-02-11 at 21.30.15.png

"jack of all trades, master of none"
farhanahmed
Staff
farhanahmed
Staff
February 11, 2026

The TACACS server and group are in ADOM DB so it wont be pushed unless its used in a policy. Use the user group in a dummy policy then try installing and it should push to the FGT.

OR

You can first copy the TACACS server and group to device db:
# exe fmpolicy copy-adom-object <ADOM> <Object ID> <Object Name> <Device ID> <VDOM>

Then under the Device DB (Device Manager > Select FGT > CLI Configurations > system > admin) create a System Admin and set the remote-group to the TACACS+ group. 

Then try install, FMG will push the changes to FGT.

    craigmmorq4
    craigmmorq4Author
    Explorer
    February 12, 2026

    Yes referencing a user group did work.

    But surely this can't be the only way to do this?

    farhanahmed
    Staff
    farhanahmedAnswer
    Staff
    February 12, 2026

    FMG by default does not push 'unused' objects to the devices :)


    So, either use it in a policy or try the other method to create a system admin - if the user is going to login to FGT using TACACS+ credentials.

      Terms & ConditionsAccessibility statement