Description
This article describes the behavior of FortiManager in managing FortiGate HA deployed in a Public Cloud such as AWS or Azure with vdom-exception configured.
Scope
FortiManager v7.2.2.
Solution
FortiManager v7.2.2 has improved the features to manage FortiGate HA deployed in AWS/Azure with vdom-exception configured.
In FortiGate HA Public Cloud, the configuration included in vdom-exception will not synchronize between FortiGate HA.
Example.
'FGT A' Virtual IPs:
'FGT B' Virtual IPs:
HA Status:
As a result, FortiManager will have challenges managing the difference in configuration or Policy Package when FortiGate HA is experiencing a failover. To overcome this complexity, FortiManager v7.2.2 will read only the configuration included in vdom-exception.
The example below will provide more details on the behaviors.
Note:
FortiGate 1 VIP is named as a number, and FortiGate 2 VIP is named as the alphabet for comparison.
When FortiGate HA Public Cloud is added to FortiManager, FortiManager will retrieve and import the configuration from the Primary FortiGate only.
Any changes made in the Primary FortiGate will auto-update to the FortiManager database.
On the other hand, if a vdom-exception configuration is made in the Secondary FortiGate, it will not update to the FortiManager database.
In the FortiManager database, it will maintain synchronization for both the config status and the policy package status.
After the failover, FortiManager will retrieve the latest configuration from the new Primary FortiGate. The status will change to Auto-Update:
However, it will not retrieve and import the configuration listed in vdom-exception. For this example, the FortiGate has failover, but Virtual IPs still remain as FortiGate 1:
Although there is a difference in the VIP, the next installation will not overwrite the configuration in the new FortiGate, and the Install Preview will display empty:
To have the vdom-exception object of the new Primary FortiGate in FortiManager, the user needs to manually retrieve and import the configuration.
Note:
The device database will overwrite the vdom-exception object and replace it with the latest Primary FortiGate value.
However, the ADOM database (Policy Package) will contain all objects from both FortiGate:
Although all the objects are contained in the ADOM database, FortiManager will ignore all of these objects included in vdom-exception and will not install anything, even if an object is modified. This precaution is implemented to prevent FortiManager from installing the objects from FortiGate 1 to FortiGate 2. However, if FortiGate 2 objects are added to the FortiGate 1 firewall policy, FortiManager will prompt the user as 'datasrc invalid':
If the user likes to make changes to the object listed in vdom-exception, it needs to be configured from the Device database:
Note:
After changes are made in the device database and the object in vdom-exception is related to the firewall policy, the policy package status will become out of sync. In that case, the user must install it together with the Policy Package to synchronize both the device database and the ADOM database.
In summary, vdom-exception is in read-only mode for the ADOM database only. The ADOM database only allowed objects in vdom-exception to be added to the firewall policy, provided that the Local FortiGate had the object created. Otherwise, it will not create the object for the FortiGate, and the installation will be unable to proceed. On the other hand, the device database is still able to make the changes, and the user will need to be cautious during the installation.
Related document:
