FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
markwarner
Staff
Staff
Article Id 246084

Description

 

This article describes the flow of FortiGate configuration from the managed device to the device database and on to the ADOM database.

 

Scope

 

FortiManager, all platforms, all versions.

 

Solution

 

This document aims to describe the flow of configuration from the FortiGate to the FortiManager databases.

Flow diagram:

 

markwarner_0-1676537381750.png

 

The Device Database is managed in the Device Manager section of FortiManager GUI. It contains objects specific to one device on the ADOM. 

 

The ADOM Database is managed in the Policy & Objects section of FortiManager GUI. It contains objects that can be referenced in a Policy Package and installed on any device in the ADOM. 

 

A freshly added FortiGate shows Config Status Synchronized and Policy Package Status Never Installed. 

 

markwarner_4-1676538554766.png

 

Config Status indicates the synchronization between the managed device configuration and the Device DatabaseBy default, retrieval is done automatically whenever the configuration is changed on the deviceTo manually retrieve the configuration, select the device and the Revision History button in the Configuration and Installation Widget, then select Retrieve Config. 

 

markwarner_3-1676537524563.png

 

markwarner_5-1676538602202.png

 

Retrieving configuration triggers the FortiManager to download the configuration file from the FortiGate and update its Device Database. This action does not update the ADOM Database. Objects under Policy & Objects will not be updated and the Policy Package Status in Device Manager will not be affected.

 

The revision history is a collection of device configuration files over time. It is possible to restore a previous configuration and a revision downloaded from the revision history can be uploaded directly to a FortiGate as a FortiGate config file.

 

Usually, the configuration is designed on the FortiManager and then pushed to the device but in some cases, an administrator will want to create or update a Policy Package using the existing configuration on the device.

 

To update the ADOM Database, the administrator must use the Import Policy option from the Device Manager. Import Policy updates the ADOM Database with the configuration in the Device Database.  It does not contact the FortiGate and no active connection is required for this operation.

markwarner_6-1676538642797.png

 

By default, the FortiManager will set the Policy Package Name to the name of the device that is being imported and create a new one if it does not exist.

 

If the administrator wants to overwrite an existing package, it is necessary to type it in the Policy Package Name field. If the text in that field matches an existing policy package name, an overwrite toggle button will appear.

If a configuration exists in both places, the administrator can choose if the ADOM DB should contain configuration from the FortiGate (in reality, the Device Database) or if it should keep the existing configuration in the ADOM database.

Importing and overwriting an existing policy package:

 

markwarner_7-1676538696177.png

 

After import, the Policy Package Status in the Device Manager should show a green tick.

 

markwarner_8-1676538717178.png

 

Related document:

https://help.fortinet.com/fmgr/50hlp/56/5-6-1/FortiManager_Admin_Guide/1200_Policy%20and%20Objects/0...