After using FortiManager in backup mode for a few years, I am now working on configuring an ADOM in managed mode pushing full baseline configurations with CLI provisioning templates leveraging meta field variables.
So far on a new Fortigate, my CLI Template creates 4 VLAN interfaces under the fortilink interface, IP's them, pulls interface "internal5" from the internal virtual switch, and configures it as a standalone interface. The script works fine on the first run, but as I add more CLI Templates to the CLI Template Group and run it, I get an error more or less stating that "internal5" isn't in the internal virtual switch.
My question is, are these CLI Templates supposed to stay assigned to a device or should they be removed from the device after the initial provisioning? If they're supposed to stay assigned to the device, how do you handle/skip errors for work that was already done in previous runs of the script?
I've been struggle with the same thing for last a few month with v6.4.5 and encountered many issues. But v6.4.6 was released yesterday fixing at least one Meta Field related problem. So I'll upgrade it today to test them again.
Based on my short experience, my understanding is that CLI templates are supposed to be attached to device config DB all the time, while the Scripts serve one-time needs. However, some things you can't leave in CLI templates attached to devices.
- anything removing, like removing interfaces from a hard-switch, because when it's run second time the object is not there any more and generates an error and stop. Use a script.
- anything adding, like adding entry with "edit 0". Because the second time, it's already there and generates an error and stop. Use "edit 1" "edit 2" ... instead or purge all first then add.
- any other things that would cause an error if it was run multiple times.
As I said, I'm still learning myself so I want to know what others need to say about this.