DescriptionOccasionally, FortiGuard will send updates to FortiGates for
existing predefined certificates as part of a certificate bundled
update. In some cases, the certificate uses a new name, which ends
up being considered "new configuration" on the Firewalls.
An example of new configuration that may show up in the
FortiGate configuration as a result:
# config vpn certificate ca
edit
"Entrust_Root_Certification_Authority_-_G2"
set range
global
set source
fortiguard
next
end
This configuration entry cannot be deleted by an admin
user.
When the FortiGate is managed by FortiManager, the FortiGate
will attempt to notify FortiManager of these configuration changes
using auto-update.
If the FortiManager does not receive these updates, you will
not only see the FortiGate show up on the FortiManager as
out-of-sync, you may also observe that FortiManager attempts to
delete the new certificate during the next install attempt.
ScopeThis problem should only arise if FortiGates are running firmware older than FortiOS 5.6.9 or 6.0.5.
As of FortiOS 5.6.10, 6.0.5 & 6.2.0, FortiOS should no longer record CA certificates learned from a certificate bundle update from FortiGuard in config vpn certificate ca (as tracked in bug id 517702)
SolutionThe most common reason for this is that auto-update is
disabled on the FortiManager.
# config system admin setting
set auto-update disable
end
By default auto-update is enabled but some administrators
chose to disable this feature to force all changes to be made only
on the FortiManager.
Even if a FortiManager had auto-update enabled at the time of
the certificate update, it is still possible that auto-update might
fail.
***
In order to allow FortiManager to learn about the
configuration change from the FortiGate, try one of the
following:
1) Enable auto-update on FortiManager
This may be sufficient if the FortiGate are still attempting
to resend auto-updates. Auto-update is the preferred
method.
If auto-update is insufficient, a retrieve should correct the
issue. After a retrieve, policy package status will show as
"Unknown" for that FortiGate and a further Install is required to
correct the package status.
2a) Manually issue a retrieve from the FortiManager for each
affected FortiGate
Or if the # of managed FortiGates is quite large, you could
use the following method of triggering a retrieve instead:
2b) Run a script with the following command against the remote
FortiGates in order to trigger a retrieve:
# diag fdsm cfg-upload <comment>