Description
This article describes how, after importing a policy for a newly added device and then attempting to install the new policy package to the FortiGate for the first time, all unused objects will be deleted.
Solution
On the policy package import process, select one of the following options:
1. Import only policy-dependent Objects.
When choosing to import only policy-dependent objects, the orphan (unused) objects that are not tied to policies locally on the FortiGate will be deleted on the next install.
2. Import all Objects.
Upon choosing to import all objects, all used and unused objects in the FortiManager ADOM object database are imported, but it will still delete orphan (unused) objects locally on the FortiGate on the next install.
In this scenario, all unused objects are imported to the FortiManager database and can be later used by referencing them in the FortiManager policies and installing them on the managed devices.
Upon choosing to import all objects, all used and unused objects in the FortiManager ADOM object database are imported, but it will still delete orphan (unused) objects locally on the FortiGate on the next install.
In this scenario, all unused objects are imported to the FortiManager database and can be later used by referencing them in the FortiManager policies and installing them on the managed devices.
Consider the following example of importing the policy and objects and installation.
Figure 1:
Figure 2 below shows details about the imported objects. Some objects are already present on the FortiManager with the same name but with different values.
These objects will be updated with the Firewall object values, or FortiManager will keep the object unchanged (depending on what is selected when there is a conflict). See Figure 3 below:
Some Objects are found to be duplicates (objects with the same name and value are already present on the FortiManager). FortiManager keeps these objects in its database and will not take any action.
When installing the policy package to the FortiGate, FMG will only install used/referenced objects (address, address group, web filter profile etc.) to the FortiGate policy and will delete all the unused objects from FortiGate.
As shown in Figure 4 some objects (106) are seen deleted because they are not referenced anywhere in the firewall policy.
This is an expected behavior because FortiManager installs only those objects that are referenced in the policy and deletes any unused object from the FortiGate after installation.
