Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bigkeoni64
Contributor

Fortimanager pushing to a FortiGate

Hello - I created a few address objects, then made a new Policy all in FMG. I have to push so I do :

 

Install wizard and go to the point of 'preview installation' The changes I did showed up as expected.

My next step is to actually push the changes.

 

My question is will anything else change? Do I need to do a backup before I push? Just curious if it will only change what is in the 'install preview'.

 

Just making sure I'm not taking down or changing anything else since this is my first go at it...

 

Mahalo

1 Solution
Toshi_Esumi
Esteemed Contributor II

I know only v6.4.x. Yours look like newer because the menu on the rev history is quite different from mine. But at least the config DB is in sync with the device. Only the policy package has a problem. Was it actually in sync before you made the changes? And how it's originally created? Imported from the config DB?

View solution in original post

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor II

If you can push the new config, the device is already on the FMG and have revisions of config backups. Go to the device's System:Dashboard and find Revision->Total Revisions. Then at the end of the line, there is an icon for Revision History menu. Click that to see all revision/backup history. When you highlight one of them, you can view the config and check "diff" from a previous version.

 

Yes, it would install exactly what's in preview.

If something went wrong after the installation, you can always "Revert" under "More" menu in the Revision History window.

 

Toshi

 

 

bigkeoni64

Well, unfortunately there were no revisions available, plus there are orange warning triangles on just about every individual rule.

 

I was to apprehensive to use the FMG to push the policy and objects, therefore I put it on the FortiGate directly.

 

Is there an auto-retrieve or can I force the FMG to pull the new FG policy?

It might be best I open a case to sort how to clean this up since we inherited things this way.

 

bigkeoni64_0-1660712125387.png

 

Toshi_Esumi
Esteemed Contributor II

Are you sure it's on-line? What's in the device list status view under Device&Groups->Managed Devices? There should be Config Status column showing config DB sync status. If normal, there is a "green check mark" before the status.
Once it's registered to the FMG, there should be at least one revision auto-retrieved. If the Total Revisions is '0' while the system information like S/N, IP address, etc. is showing something must have gone wrong.
Manual retrieval is in the Revision History window's menu "Retrieve Config". But I guess it won't work or dimmed at the current state of the device on the FMG.

Share us the screen of the status list view and device dashboard. Or open a case at TAC to get it taken a look a.

 

Toshi

 

bigkeoni64

The revision number 1 is the change I did - but - I did not even push it since there are no other revisions. Even the import configuration is greyed out.

 

bigkeoni64_0-1660718095708.png

 

Toshi_Esumi
Esteemed Contributor II

I know only v6.4.x. Yours look like newer because the menu on the rev history is quite different from mine. But at least the config DB is in sync with the device. Only the policy package has a problem. Was it actually in sync before you made the changes? And how it's originally created? Imported from the config DB?

bigkeoni64

Yes, it is FMG 7.05

I think it might have been imported from the FortiGate, not 100% sure. I'll get a case open. Thank you for your questions.

Toshi_Esumi
Esteemed Contributor II

TAC might suggest the same but I would suggest importing into a new policy package (new name) from the device DB again, then make sure the policy package is in sync first before making changes.
Policy packages are never directly pushed to the device. The changes in the packages are pushed to the device DB first. Only after that the changes are pushed to the device.

I think your current policy package is conflicting with what's in the device DB. So if you tried, you would see errors in the preview. Instead of trying patching up individual conflicts, starting with a clean package would be much faster to complete the changes you're intending to make.