FortiManager is designed to be a central management unit that can manage different versions and platforms of FortiGate. Most objects can be dynamic, which means FortiManager is able to create a per-device mapping so a different FortiGate can have a different value set for the object.

The remote Certificate does not have an attribute as a dynamic object, which means that FortiManager is unable to create per-device mapping. As a result, when importing a Remote Certificate from multiple FortiGate that have the same name but unique values could cause an issue.

In this example, 2 FortiGate (FGT1 and FGT2) of which have a Remote Certificate named REMOTE_Cert_1 and is configured to be used in the Firewall Policy:

Add both FortiGate as a managed device in the FortiManager and ensure the Config Status is 'Synchronized':

After importing one of the FortiGate, in this example, FGT1 Policy Package Status will be synchronized, and REMOTE_Cert_1 can be seen in Policy & Objects -> Advanced -> Remote Certificate:

Proceed to import configuration for the second FortiGate (FGT2), and FortiManager will pop up a prompt notifying of the Object Conflict.

Note:

The conflict object means the object name is the same across FortiGate, but each one has a different value. FortiManager is unable to create a per-device mapping for such an object because it does not have a dynamic attribute

Complete the import process, and from the Device Manager, only the latest imported FortiGate will be synchronized, while the other will be modified:

This is because, during the previous steps, the REMOTE_Cert_1 value was changed and updated with the latest value from the latest import. Verify the value in Policy & Objects -> Advanced -> Remote Certificate:

Note:

Compare the 'CN' value from the first import and the second import. Import, the value is CN=FGT1, and the second import, the value is CN=FGT2.

Since the value of the same object has changed, FortiManager will try to install the updated value in the first FortiGate.

To avoid installation of unwanted configurations, a unique object name needs to be configured to accommodate a unique value.

Note:

The name REMOTE_Cert_1 is the default certificate name given by FortiGate when importing the remote certificate. To rename it, the following command can be run:

config vpn certificate remote
    rename REMOTE_Cert_1 to <Certificate_New_Name>
end

After the command is run on all FortiGate to change the certificate name, all FortiGate can be synchronized without issue:

Retrieve the configuration of the FortiGate and import the configuration again:

Both FortiGates are now synchronized in both Config Status and Policy Package Status. Verify further in Policy & Objects -> Advanced > Remote Certificate:

FortiManager will have 2 unique remote certificates with unique values, and subsequent installs will not try to change the remote certificate.