|
When managing FortiGate devices through FortiManager, certain configuration changes made directly on the FortiGate might not show up in FortiManager.
If a change is made through a FortiManager remote FortiGate directly (via CLI script), the change is applied locally with a synchronized device config status, and a new revision with an automatically updated installation status.
However, in some cases, the script behaves differently:
- The change is applied on the FortiGate.
- The device status shows as Synchronized.
- No new revision is created.
- The FortiManager device database is not updated.
Why this happens:
According to FortiOS design, some FortiGate configuration objects are flagged to be excluded from automatic syncing with FortiManager.
When FortiGate and FortiManager synchronize configurations, FortiOS calculates a checksum to determine if the configuration has changed.
There are some exemptions, and these objects are skipped in this calculation. When such an object is modified directly on the FortiGate:
- The change applies immediately on FortiGate.
- The sync checksum remains unchanged.
- FortiManager does not see the change -> no revision is created -> no auto-update occurs.
Note:
These objects are mostly related to the central-management settings through the direct CLI.
Example debug log – checksum changes after script execution:
In this case, after running the script, the change is applied normally, the checksum is calculated and exchanged, and because the old and new checksums are different: an auto-update is triggered and the configuration is retrieved by FortiManager automatically.
__install_chan_connected,735: downloading script.
__install_chan_read,652: script running begain.
start_exchange_file,948: get_config ifclient=1
Destroy file exchange service
FGFMs: Destroy stream_svr_obj
FGFMs: Destroy stream_svr_obj
FGFMs: Destroy chan local=1764, remote=583, in=382512, ack=382512, out=0,acked=0,inbuff=-1.
FGFMs(FGVM01TM21000085-167-10.9.11.210): server:
keepalive
checksum=7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f
fgfm_keepalive_handler: old chksum: 32 ed 66 12 21 ed b1 b6 54 bf b2 b6 0a 83 d7 65, auto_retrieve_pending = 0.
fgfm_keepalive_handler: new chksum: 7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f
Config out-of-sync, new_chksum=7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f, my_chksum=32 ed 66 12 21 ed b1 b6 54 bf b2 b6 0a 83 d7 65!
Request [/bin/fgfmsd:2570:169]:
{ "client": "\/bin\/fgfmsd:2570", "id": 169, "method": "exec", "params": [{ "data": { "device": 167, "flags": 0, "need-token": 1, "usr": "AutoUpdate"}, "url": "sync\/config-ext2"}], "root": "deployment"}
Example debug log – no checksum change (no revision created in FortiManager):
In some specific cases (often related to FortiManager connection/configuration changes), the checksum does not change after the script execution. This results in no revision on FortiManager, and the change exists only locally on the FortiGate:
__install_chan_connected,735: downloading script.
__install_chan_read,652: script running begain.
fgfm_chan.c,627: peer close channel: local=1802, remote=621, body_len=0
__install_session_destroy,807: destroy install session state=4.
__install_session_destroy,close log_fp 0x55e1f9e1f210, fd=4.
FGFMs: Destroy chan local=1802, remote=621, in=379, ack=379, out=0,acked=0,inbuff=-1.
FGFMs(FGVM01TM21000085-167-10.9.11.210): server:
keepalive
checksum=7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f
fgfm_keepalive_handler: old chksum: 7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f, auto_retrieve_pending = 0.
fgfm_keepalive_handler: new chksum: 7c 4d 31 fd 8f 4a ef 27 11 53 2f 1c 15 a2 f3 6f
Set dvm conf status to IN_SYNC.
Recommendation:
When applying configuration directly through remote FortiGate scripts, verify the configuration revision and ensure FortiManager–FortiGate synchronization afterward.
|
