Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
markwarner
Staff
Staff

Created on ‎07-19-2023 08:21 AM Edited on ‎07-20-2023 12:39 AM By Moderator

Article Id 264862

Technical Tip: Per-Device mapping behaviour

Description

 

This article describes how per-device mappings work and why a different configuration might be seen on a device when a mapping exists on the object.

 

Scope

 

FortiManager, all versions.

 

Solution

 

In this example, the FortiManager is managing 3 devices. One has VDOMs enabled:

 
 
 
 
 

01.png

 

The administrator creates a set of addresses using a naming format that is easy to search for:


02.png

 

The administrator creates an address group with per-device mapping definitions:


03.png

 

It is possible to print out the CLI configuration of objects in the ADOM Database using the CLI command execute fmpolicy on the FortiManager.  Below is the configuration of this dynamic object.  MapDemo is the name of the ADOM:

exe fmpolicy print-adom-object MapDemo "firewall addrgrp" addr-group
Dump object [addr-group] of category [firewall addrgrp] in adom [MapDemo]:
---------------
config firewall addrgrp
    edit "addr-group"
        set uuid e4c7d394-2643-51ee-addf-bbd796cba1b7
        set member "addr-20" "addr-10"
            config dynamic_mapping
                edit "FGT1"-"root"
                    set member "addr-30"
                    set uuid e4dd52d2-2643-51ee-1e2c-fdf490fc3b7f
                next
                edit "FGT2"-"VDOM1"
                    set member "addr-60" "addr-50"
                    set uuid e4ddc384-2643-51ee-23da-dcb178365d9c
                next
            end

    next

end

 

The config dynamic mapping command is not valid FortiGate CLI code - it is specific to the ADOM database. This is the Per-Device Mapping configuration seen in the GUI screenshots above.

The mapping is expected to behave for each device as follows:

  • FGT1 has a per-device mapping for 'addr-30', this code will be installed:

config firewall addrgrp

    edit "addr-group"

        set member "addr-30"

    next

end​

 

  • FGT2 has VDOMs enabled and VDOM1 has a mapping, this code will be installed to VDOM1:

 

config firewall addrgrp

    edit "addr-group"

        set member "addr-60" "addr-50"

    next

end​

 

  • FGT3 and root VDOM on FGT2 do not have mappings so the code at the top of the configuration will be installed.  This only gets pushed to devices that do not have a per-device mapping:

 

config firewall addrgrp

    edit "addr-group"

        set member "addr-20" "addr-10"

    next

end​

 

 

If a new address is to be added to the 'addr-group' address group on all devices, the administrator would need to add it to all sections of the configuration - not only at the member's section at the top but also in every per-device mapping definition in the address group object.

If the administrator only updates the member's section at the top, only devices that do not have mappings will be updated. In this case, that would be FGT3 and the root VDOM on FGT2.

2370
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.