FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
jchavez
Staff
Staff
Article Id 384317
Description This article describes how to perform a workaround to override Application Control when adding or modifying a profile, reported on Bug ID 1114832.
Scope FortiManager v7.4.6, FortiGate v7.4.6.
Solution

In this version of FortiManager, when there is an Application Control profile and an override needs to be applied to some applications, attempting to install the change results in the change not appearing in the preview, and nothing being installed.

 

In this example, FortiManager version 7.4.6 is used.

 

1.png

 

In addition, FortiGate version 7.4.6 is managed by FortiManager.

 

2.png

 

In this case, changes are made to cancel 3 applications for AWS and 3 applications for Facebook on the profile named G13.

 

3.png

 

This is how the G13 application profile looks with override.

 

4.png

 

In the installation preview, the override change is not applied, only to the category settings.

 

5.png

 

At ingress direct to FortiGate and when reviewing the profile 'G13', the override appears blank.

 

6.png

 

To apply a workaround, in FortiManager, perform the following command:

 

execute fmpolicy print-adom-object root “application list” G13

 

This command displays all the settings for the application control profile, in this case 'root' is VDOM, change the name accordingly.

 

7.png

 

According to the output command, copy all text and use to create template provisioning, go to Device Manager -> Provisioning Templates -> CLI.

 

8.png

 

Once the template is created, a device should be assigned to it by selecting the edit icon in the 'Assigned to Device' column.

 

9.png

 

The corresponding device can then be selected for application, and then 'OK'.

 

10.png

 

The template displays the device applied.

 

11.png

 

The last step involves installing the policy. During the review of the install preview, 6 application IDs are added for override. 

 

To add another application, the ID is required. It must then be added to the template CLI, and the changes should be installed.

 

12.png

 

In validation directly on FortiGate, the changes were successfully applied.

 

13.png

 

Watch the Workaround video.

 

Note: This serves as an alternative solution. It is recommended to maintain a CLI template for each FortiGate device to ensure more efficient administration. For any required modifications, additions, or removals, the CLI script must be updated accordingly.

 

 

Bug reported in FortiManager v7.4.6: Known issues 

 

If more than three Application Control profiles are in use, it is strongly recommended to upgrade to FortiManager v7.4.7, which addresses this issue. Without the upgrade, managing the workaround can become increasingly complex: Resolved issues 

Comments
cmartinez1
Staff
Staff

Thanks for the KB