Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
farhanahmed
Staff
Staff

Created on ‎10-10-2024 10:08 PM Edited on ‎01-21-2025 12:23 PM By Staff

Article Id 348685

Technical Tip: Impact of removing a provisioning template that was previously applied to a device in FortiManager

Description This article describes what is the impact of removing a provisioning template that was previously applied to a device in FortiManager.
Scope FortiManager
Solution

Provided that the FortiGate is synchronized with FortiManager, removing a previously applied provisioning template has different impact depending on type of the template:

 

  • IPSec Template: When IPSec Template is used to create VPN tunnels, FortiManager adds a comment [Created by IPSec template] in the ipsec phase1 and phase2 config and related static routes. If the template is removed, FortiManager on next install will try to delete the VPN tunnels and static routes with that comment tag. If the tunnels or tunnel interfaces are being referenced in another configuration such as SD-WAN configuration or policies, FortiManager may fail to remove them causing an install failure.

 

If the VPN settings are required to remain in place, either assign the template back to the FortiGate or remove the comment (Created by IPSec template) from the IPsec phase1 and phase2 config and related static routes which will allow FortiManager to ignore them.

Refer to this KB article: Technical Tip: Remove comment (Created by IPSec Template)...using TCL Script.


If VPN settings need to be removed but the installation is failing, make sure to remove all references to the tunnels and tunnel interfaces so that the tunnels can be successfully removed as well.

 

  • SD-WAN Overlay Template: This template on its own does not change any config except creating related CLI, IPSec and BGP templates (and a template group). Hence, no impact if removed.
    Unless the template group is removed, in which case the VPN tunnels will be deleted because of IPSec templates (which is part of the template group).

  • CLI Template: No Impact, unless the template is actively being used to force a config.

 

The other templates' (for example: SD-WAN, BGP, Static, etc) changes are device-database level and do not remove any config from FortiGate if the templates are unassigned/removed.

 

Related documents:

Provisioning Templates.

Technical Tip: Remove comment (Created by IPSec Template)...using TCL Script.

Technical Tip: How to create IPSec Template and assign to a device using JSON API
Labels:
938
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.