Created on
07-19-2023
08:21 AM
Edited on
09-04-2025
04:01 AM
By
Anthony_E
Description
This article describes how per-device mappings work and why a different configuration might be seen on a device when a mapping exists on the object.
Scope
FortiManager.
Solution
In this example, the FortiManager is managing 3 devices. One has VDOMs enabled:
The administrator creates a set of addresses using a naming format that is easy to search for:
The administrator creates an address group with per-device mapping definitions:
Per-device mapping will also be created during the Import Process.
This can be validated with the Import Report at the Final step of the Import Process. '(name=xxx, oid=yyy, dynamic mapping)'.
Note:
During the Import process, when importing the same address object name with the same configured IP subnet but with different associated interfaces for multiple VDOMs, the address object import might fail due to the Object Interface Binding Conflict. This can result in skipping the import of related policy IDs.
As a workaround, ensure the address object is configured without associated interfaces.
To get more information about the Import Process, follow this KB article: Technical Tip: Configuration import from the device to the ADOM DB/Policy & Objects
If the per-device mapping is not available for the specific object, it will require creating different profiles/objects per device.
It is possible to print out the CLI configuration of objects in the ADOM Database using the CLI command 'execute fmpolicy' on the FortiManager. Below is the configuration of this dynamic object.
MapDemo is the name of the ADOM:
exe fmpolicy print-adom-object MapDemo "firewall addrgrp" addr-group
Dump object [addr-group] of category [firewall addrgrp] in adom [MapDemo]:
---------------
config firewall addrgrp
edit "addr-group"
set uuid e4c7d394-2643-51ee-addf-bbd796cba1b7
set member "addr-20" "addr-10"
config dynamic_mapping
edit "FGT1"-"root"
set member "addr-30"
set uuid e4dd52d2-2643-51ee-1e2c-fdf490fc3b7f
next
edit "FGT2"-"VDOM1"
set member "addr-60" "addr-50"
set uuid e4ddc384-2643-51ee-23da-dcb178365d9c
next
end
next
end
The config dynamic_mapping command is not a valid FortiGate CLI code - it is specific to the ADOM database. This is the Per-Device Mapping configuration seen in the GUI screenshots above.
The mapping is expected to behave for each device as follows. Remember that Dynamic mapping shall overwrite the Default value for the mentioned object 'addr-group':
config firewall addrgrp
edit "addr-group"
set member "addr-30"
next
end
config firewall addrgrp
edit "addr-group"
set member "addr-60" "addr-50"
next
end
config firewall addrgrp
edit "addr-group"
set member "addr-20" "addr-10"
next
end
If a new address is to be added to the 'addr-group' address group on all devices, the administrator would need to add it to all sections of the configuration - not only at the member's section at the top but also in every per-device mapping definition in the address group object.
If the administrator only updates the member's section at the top, only devices that do not have mappings will be updated. In this case, that would be FGT3 and the root VDOM on FGT2.
Related article:
Technical Tip: Configuration import from the device to the ADOM DB/Policy & Objects
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.