What Can/Should Be Configured Outside of FortiManager for Managed Devices?

Question

I understand that (almost?) everything should be configured and deployed via FortiManager for any devices that are managed.

Are there any configuration elements that cannot be done through FortiManager and must be done independently at the device level?

Specifically ... I have a device that cannot connect to FortiAuthenticator, so I have to log in using local credentials. I'm pretty sure the problem is that I need to set a source-ip for the RADIUS connection via CLI:

config user radius

edit "<authentication string>"

set source-ip 192.168.100.1

Of course when I log into the remote device locally and open the CLI, I get the message that "changes will cause this device to be out of sync with FortiManager."

I guess I have four questions:

1. Can this setting for an individual device (that is part of an ADOM with other devices) be set via FortiManager?

2. If so, how?

3. If it cannot be set via FortiManager and I set it on the device itself, will it cause any "out of sync" issues?

4. Are there any configuration elements that can/must be set on the device and not through FortiManager?

I'm just trying to understand if the warning that "this will cause the device to be out of sync" means that I should never EVER change anything locally, or if that's more of a "yes, it can be done, but you need to know what you are doing first" kind of message.

Toshi_Esumi · Accepted Answer

If you use CLI templates/template group, you can configure basically anything on a FGT by pushing them.

On the other hand, If you don't use any templates, a policy package and other "manager" like AP Manager, VPN Manager, etc., you can configure everything directly at the device then let FMG to pull the config changes automatically and keep the config "revisions". That one extream way of using FMG.

But most people do somewhere inbetween, some config is regulated by templates and policy packages at least, especially like retail chain customers who has almost the same config for many locations and only subnets are different.

But not regulated part can be configured directly because it's much faster than using "scripts" from FMG, like circuit/interface setting, DHCP or PPPoE or static, username/password got changed, or GW IP got changed, etc.

Or just for test/troubleshooting purpose, you might change them temporarily before the final change is made.

That's how we do our business with FMG. The warning is just a warning I always ignore it but very consciously making those changes at the device what would happen after that at FMG like the templates and policy package might go out of sync and need to get them re-synced.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded