FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
singhl
Staff
Staff
Article Id 350900
Description This article describes how to synchronize the VPN tunnel created by the VPN manager back when the device was removed and re-added to FortiManager.
Scope FortiManager.
Solution

When VPN tunnels are created by the VPN manager for some reason FortiGate was removed from Fortimanager. This will put the device out of sync with Fortimanager. Upon adding the device back, VPN tunnels will be removed on the next policy package install.

 

To avoid the removal of tunnels, follow these steps: 

  1. Confirm the tunnel number of the device being added back. It can be confirmed from a managed Hub device when using the 'Hub & Spoke' topology or any managed device when using the 'Site-to-Site'(mesh) topology.

 

vpnmgr_tunnel.png

 

Note:

The tunnel names installed to the FortiGate device by VPN Manager have Hexadecimal sequence and the ID of vpnmgr nodes in the FortiManager database is in Decimal format. Therefore the 10th vpnmgr node has its tunnel named as 1a and 16th node as 10. 

 

  1. Check the VPN manager node in the Policy DB using the command in FortiManager CLI:

 

exe fmpolicy print-adom-object 3 1005 all

 

Example of CLI output showing the vpnmgr node for 'VPN-Mesh_a' tunnel:

 

vpnmgr_node.png

 

  1. Once identified the id missing from the 'vpnmgr node' table, create a script by copying syntax of one of the vpnmgr nodes in the same community (make sure to use the syntax of the correct community, if there is more than 1).
  2. Create a CLI script to run on 'Policy Package or ADOM Database', for example, the device had ID 4 when the tunnel was created:

 

config vpnmgr node

edit "4"
        set vpntable "VPN"
        set role spoke
        set iface "wan1"
        set automatic_routing enable
        set net-device disable
        set network-id 0
            config protected_subnet
                edit 1
                    set addr "FABRIC_DEVICE"

                next
            end
                set _scope "FortiGate-200E"-"root"
            next

 

  1. Run the script, it will add the vpnmgr node back and further installation to the device will not remove the tunnel.

Related article:

Technical Tip: Deploying VPN configuration via FortiManager VPN Manager