FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
awasfi_FTNT
Staff
Staff
Description
This article describes how to check, verify and fix policy package different status.

Solution
Compatibility between FortiManager and FortiGates has to be verified before adding the FortiGates to FortiManager or pushing any configuration from FortiManager.
Review the compatibility document which can be found on the following link under (FortiManager -> Release Information -> Compatibility:(

Related document:
https://docs.fortinet.com/

The ADOM version is matching the managed FortiGates branch.
For example, if FortiGates running v6.0.x Firmware version, it has to be added to v6.0 ADOM.
 
ADOM version can be verified from GUI or CLI:

GUI.




CLI.
# diagnose  dvm adom list
There are currently 18 ADOMs:
OID      STATE    PRODUCT OSVER MR  NAME                MODE    VPN MANAGEMENT        IPS                                                
192      enabled  FOS     6.0   0   6_0_ADOM            Normal  Policy & Device VPNs  15.763                                             
108      enabled  FAZ     6.0   0   FortiAnalyzer       Normal  Policy & Device VPNs  15.763                                             
124      enabled  FAC     5.0   5   FortiAuthenticator  Normal  Policy & Device VPNs  15.763                                             
112      enabled  FCH     4.0   2   FortiCache          Normal  Policy & Device VPNs  0.0                                                
104      enabled  FOC     6.0   0   FortiCarrier        Normal  Policy & Device VPNs  15.763                                             
114      enabled  FCT     6.0   0   FortiClient         Normal  Policy & Device VPNs  15.763                                             
122      enabled  FDD     5.0   0   FortiDDoS           Normal  Policy & Device VPNs  15.763                                             
106      enabled  FML     6.0   0   FortiMail           Normal  Policy & Device VPNs  15.763                                             
118      enabled  FMG     6.0   0   FortiManager        Normal  Policy & Device VPNs  15.763                                             
167      enabled  unknown 8.0   4   FortiNAC            Normal  Policy & Device VPNs  0.0                                                
126      enabled  FPX     1.0   1   FortiProxy          Normal  Policy & Device VPNs  0.0                                                
120      enabled  FSA     3.0   0   FortiSandbox        Normal  Policy & Device VPNs  0.0                                                
110      enabled  FWB     6.0   0   FortiWeb            Normal  Policy & Device VPNs  15.763                                             
116      enabled  LOG     0.0   0   Syslog              Normal  Policy & Device VPNs  15.763                                             
102      enabled  Chassis 6.0   0   Chassis             Normal  Policy & Device VPNs  15.763                                             
3        enabled  FOS     6.0   0   root                Normal  Central VPN Console   15.763                                             
10       enabled  FOS     6.0   0   Global              Normal  Policy & Device VPNs  15.763                                             
---End ADOM list---
Make sure the connection between FortiManager and FortiGate is UP.
If the connection is down, installing policy package will fail.
The following debug can be used to check the connection from FortiManager CLI:
# diagnose  debug  application  fgfmsd -1
Example:
# diagnose  debug  reset
# diagnose  debug  application  fgfmsd -1

fgfmsd debug filter:    disable
# diagnose  debug  enable
FMG # __start_tunnel_by_devlist,328: devid=194, admin=admin.
FGFMs(probing...): Create session 0x7f375bea9800.
FGFMs(FGVM01TM19001092-194-10.10.10.10): Connect to 10.10.10.10, local 10.10.10.50.
FGFMs: Load Cipher [HIGH:-NULL:-aNULL:@STRENGTH]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Connection was interrupted. sockevents[4] sslerr[0]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Cleanup session 0x7f375bea9800, 10.10.10.10.
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Destroy session 0x7f375bea9800, 10.10.10.10.
In this case, fix the connection between FortiGate and FortiManager before pushing any configuration or policy package to the FortiGate in order to maintain a proper policy package status is needed.

After all the above verified and units added to FortiManager, while importing policy package for the first time, the import wizard options either to import all policies and objects or import selected policies and objects used by the policies.





The default is importing all policies and only policy dependents objects.
However, if import all objects is choosen, next time when installing the policy package, FortiManager will install policies used objects only and will remove any unused object from FortiGate (such as unused addresses and services).

At the end of the import wizard, verify that import task is successfull by checking the import summary:



If any objects or policies are not imported, download the import summary and check which 'objects/policies not imported'.

Policy package status can be one of the following.

1) Imported: Policy package imported from FortiGate and has a green checkmark.




2) Modified: Changes has been made to the policy package on FortiManager and not installed yet to the FortiGate(s):

Install the policy package changes to the FortiGate(s) will sync the package again.




3) Out-of-sync: changes have been made on the FortiGate directly to the policies.

In this case, one of the following can be done:

- Install to sync the policy package again (If the FortiManager policy package is the most updated and it's the one that you want to keep).

- A manual Import Policy step is required to import the device database firewall policy and object changes into the ADOM database (If the FortiGate policies and objects are the most updated).




4) Installed: The policy package has been installed to the FortiGate(s).




5) Never Installed: There is no policy package for this unit.

Either policies and objects not imported yet or no policy package assigned for this unit.





6) Conflict: Changes have been made to the policies or policies objects on both sides (FortiGate and FortiManager):

A manual import policy or install operation has to be performed to remove the Conflict status.





7) Unknown: FortiManager is unable to determine whether the retrieved Fortigate configuration changes concerned firewall policies or objects, This is happening when policy package and configuration changed on both sides then configuration retrieved:

An install or import policy operation will be required to synchronize the policy package database with the unit manager one.





Conclusion.

FortiManager has two databases:

1) Device Database: all configuration that can be done under the 'Device Manager'.

2) ADOM Database: all configuration that can be done under the 'Policy & Objects'.

Note:
Not all configuration options available on GUI by default and need to be applied from the Tools -> Display Options menu which can be found under each section.






6.jpg


Some other options will be configured only under 'CLI Configuration' or under 'CLI Only Objects', which can be enabled under each section from Tools -> Display Options.

- All configuration is saved in device DB, only policy & objects config has a copy to ADOM DB.

- If configuration changed on FortiGate directly while managed by FortiManager, the configuration will be updated automatically on the FortiManager device DB, and config status will show as 'auto-updated'.
So, no need to do any actions  on FortiManager as there are saved to the unit DB on FortiManager automatically.

- However, if the configuration is changed  on a policy or an object on FortiGate directly, import the policy package again to update the FortiManager ADOM DB with the new changes is necessary.

- The configuration is pushed from FortiGate to FortiManager device DB, while policies and objects has to be pushed from device DB to Adom DB by importing, otherwise, if changes related to policy and objects have been made on FortiGate directly, followed policy and objects changes on FortiManager then installation performed then old configuration which added directly to the FortiGate will be replaced by the installation process as they are not in FortiManager Adom DB.

- As long as configuration changes are made on FortiManager, it will NOT be installed on FortiGates automatically.
The configuration will be pushed to the FortiGates only after install action performed from FortiManager.

- Under device manager, there are two columns: config status and policy package status.

- If the green checkmark is visible under config status, regardless of synchronized or auto-update, then FortiManager device DB matches FortiGate configuration.
If different, an install or retrieve required to get back to the correct status, depends on which configuration is most updated and correct.

- If the green checkmark is visible under policy package status, it means FortiManager device DB matches FortiGate Adom DB.
If different, then an install or import required to get back to the correct status depends on which configuration is most updated and correct.

Contributors