Description
This article describes how, after importing a policy for a newly added device and then attempting to install the new policy package to the FortiGate for the first time, all unused objects will be deleted.
Solution
On the policy package import process, select one of the following options:
Import only policy-dependent Objects:
When choosing to import only policy-dependent objects, the orphan (unused) objects that are not tied to policies locally on the FortiGate will be deleted on the next install.
Import all Objects:
Upon choosing to import all objects, all used and unused objects in the FortiManager ADOM object database are imported, but it will still delete orphan (unused) objects locally on the FortiGate on the next install.
In this scenario, all unused objects are imported to the FortiManager database and can be later used by referencing them in the FortiManager policies and installing them on the managed devices.
Upon choosing to import all objects, all used and unused objects in the FortiManager ADOM object database are imported, but it will still delete orphan (unused) objects locally on the FortiGate on the next install.
In this scenario, all unused objects are imported to the FortiManager database and can be later used by referencing them in the FortiManager policies and installing them on the managed devices.
Consider the following example of importing the policy and objects, and installation.
Figure 1:
Figure 2 shows details about the imported objects. Some objects are already present on the FortiManager with the same name but with different values:
These objects will be updated with the Firewall object values, or FortiManager will keep the object unchanged (depending on what is selected when there is a conflict). See Figure 3 below:
Some Objects are found to be duplicates (objects with the same name and value are already present on the FortiManager). FortiManager keeps these objects in its database and will not take any action.
When installing the policy package to the FortiGate, FortiManager will only install used/referenced objects (address, address group, web filter profile, etc.) to the FortiGate policy and will delete all the unused objects from FortiGate.
As shown in Figure 4, some objects (106) are seen as deleted because they are not referenced anywhere in the firewall policy.
This is an expected behavior because FortiManager installs only those objects that are referenced in the policy and deletes any unused objects from the FortiGate after installation.
FortiManager can keep the unused object in FortiGate by creating a dummy policy before the deny all, and including all unused objects in it.
Note:
As a best practice recommendation, it is suggested to save and check the Import Report right away after an Import operation. This report is only available after the Import operation.
Follows some possible outputs from an Import Operation:
SUCCESS, "(name=X, oid=XX, new object)" <----- Created a New object.
SKIPPED,"(name=X, oid=XX, DUPLICATE)" <----- Ignored as object has same name and value as already existing object.
SUCCESS,"(name=X, oid=XX, dynamic mapping)" <----- Updated new object value for specific device, only applies for objects compatible with dynamic mapping.
SUCCESS,"(name=X, oid=XX, update previous object)" <----- Already existing object value changed.
Related documents:
