| Solution |
Provided that the FortiGate is synchronized with FortiManager, removing a previously applied provisioning template has different impact depending on type of the template:
- IPSec Template: When IPSec Template is used to create VPN tunnels, FortiManager adds a comment [Created by IPSec template] in the ipsec phase1 and phase2 config and related static routes. If the template is removed, FortiManager on next install will try to delete the VPN tunnels and static routes with that comment tag. If the tunnels or tunnel interfaces are being referenced in another configuration such as SD-WAN configuration or policies, FortiManager may fail to remove them causing an install failure.
If the VPN settings are required to remain in place, either assign the template back to the FortiGate or remove the comment (Created by IPSec template) from the IPsec phase1 and phase2 config and related static routes which will allow FortiManager to ignore them.
Refer to this KB article: Technical Tip: Remove comment (Created by IPSec Template)...using TCL Script.
If VPN settings need to be removed but the installation is failing, make sure to remove all references to the tunnels and tunnel interfaces so that the tunnels can be successfully removed as well.
- SD-WAN Overlay Template: This template on its own does not change any config except creating related CLI, IPSec and BGP templates (and a template group). Hence, no impact if removed.
Unless the template group is removed, in which case the VPN tunnels will be deleted because of IPSec templates (which is part of the template group).
- CLI Template: No Impact, unless the template is actively being used to force a config.
The other templates' (for example: SD-WAN, BGP, Static, etc) changes are device-database level and do not remove any config from FortiGate if the templates are unassigned/removed.
Related documents:
Provisioning Templates.
Technical Tip: Remove comment (Created by IPSec Template)...using TCL Script.
|
