FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
eribeiro
Staff
Staff
Article Id 351242
Description

 

This article describes the process of copying global policies from one FortiManager to another.

 

Scope

 

FortiManager.

 

Solution
 

Run the command below on the FortiManager-01:

 

  1. In the CLI, print the firewall rules on the Global database by running the command below:

 

List the policies:

 

execute fmpolicy print-adom-package Global 1 (After the command, press ?)


 

eribeiro_4-1729614257838.png

 

Select the Global Policy Package and list all the options available:

 

eribeiro_5-1729614257839.png

 

Print the policies on the global header policy. (Note: If other policies are created in different categories, like the global footer policy, it is necessary to change the ID from 1474 to 1476 to list the header policies. This is applicable for all categories listed above.)

 

eribeiro_6-1729614257845.png

Copy and paste the policies listed to a notepad.

 

Execute the procedure below on FortiManager-02:

 

  1. Go to Global Database -> Object Configurations -> Create new  -> Type in the name and paste the configurations -> Select OK. The script will create the policies above on the Global Database (it is possible to add all categories for the global policy package in the same script. For example, add the global header and footer policy in the same script).

 

eribeiro_7-1729614257849.png

 

Note: 

If the FortiManager is a fresh install, the global policy package must be created before running the script.

 

  1. Run the script by selecting it and selecting Run Script:

 

eribeiro_8-1729614257851.png
  1. Select the policy package and select Run Now:

 

eribeiro_9-1729614257854.png

 

  1. Check the newly created policies in the Global ADOM:

 

eribeiro_10-1729614257856.png

 

Note: 

A common issue that causes the script to fail is missing firewall objects in the Global Database. Before running the script, check if the object exists on the Global Database. To create the firewall objects through the script, consult Technical Tip: How to create firewall objects in FortiManager ADOM database with scripts.

 

eribeiro_11-1729614257858.png

 

  1. After the global policy package has been added, it will be possible to assign it to ADOMs. Go to Assignment -> Add ADOM -> Select the ADOM/s and select OK -> Select the desired option on Assign to Policy Packages and select OK.

 

eribeiro_12-1729614257861.png

 

eribeiro_13-1729614257863.png

 

  1. To assign the ADOM, select the ADOM added and 'right-click' to Assign it

eribeiro_23-1729614964574.png

 

  1. Select Assign.

 

eribeiro_15-1729614257867.png

 

eribeiro_16-1729614257870.png

 

eribeiro_17-1729614257873.png

 

Note:

Duplicating firewall objects between the Global Database and the ADOMs is a common issue that causes the policies to fail.

 

eribeiro_20-1729614257881.png

Fix this issue by renaming the objects in conflicts on the ADOM. FortiManager does not allow having the same object name on both ADOMs before installing the global policy.

 

  1. Go to the ADOM, assign the Global Policy, and then Install the Policy Package.

 

Related documents: