Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TSC_JEFF
New Contributor II

Managed Fortigate by Fortimanager not updating

Hi,

 

So I configured a managed Fortigate via Fortimanager, what I did was 

 

1. add an address object

2. added this address object to a dynamic group

 

For some reason it has been a day and I still don't see the new address object on the managed Fortigate. I do see under Configurations and Installations Config Status: Auto Update checked

 

Not sure how to troubleshoot this

 

Thanks in advance

Jeff

1 Solution
Debbie_FTNT
Staff
Staff

I may be a bit late to the party, but it looks to be a bit as if you have the following:

- a static address (the address has no per-device-mapping), at least per the screenshot you shared

- a possibly dynamic group? I could not see a screenshot for the actual group, just the individual address

-> that means the group could have per-device-mapping (have different members for various FortiGates)

-> I would double-check the group itself and see if per-device-mapping is enabled, and if that is the case then check the group members that are configured for the specific FortiGate/Policy Package you're looking at

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

16 REPLIES 16
TSC_JEFF

I don't think it's a per-device mapping, please correct me if I'm wrong

TSC_JEFF_0-1655755626470.png

 

Toshi_Esumi
Esteemed Contributor II

That's not "dynamic" rather "static" address group members, which affect to all FGT devices that uses the adress group. "dynamic" generally means changing the members per device on an address group config side. For example FG1 has members A, B, and C. While FG2 has members A, B and D for the same address group.

 

Again, it should have knocked down the policy package status out of sync when you added a new address to the address group as long as the FGT uses the group in the policies. So something is wrong.

 

Toshi

markwarner

Correct - "Add to Groups" just lists the address groups that this address object is used in.  The Per-Device Mapping tickbox is below that and disabled.
If this address object or address group is not referenced in the policy package, FMG will keep it in its ADOM Database and not install it to the device.

markwarner
Staff
Staff

Hi Jeff,

It's important to understand how configuration on the device relates to configuration in the FortiManager.
You said you added an address object and put that in a group, but where was that configured?
If you make a configuration change on the FortiGate and auto-update is enabled in the FMG CLI (it is by default), the FGT will send its full configuration file to the FortiManager. This is known as a revision and you can check the revision history for a device in the Device Manager if you double click a device and check the Revision History button in the Configuration and Installation widget.


When this happens, the FortiManager Device Database is updated. The ADOM Database (Policy & Objects section of the GUI) is not updated. To update that you must either Import Policy or Install.
The ADOM database contains objects that can be shared with more than one device.
Import policy pulls the configuration from the Device Database and updates the ADOM Database. If you created the object on the device and are looking for it in Policy & Objects, this is the step that you are missing.


If you created the address and address group on the FortiManager then you only created it in the FortiManager's database. If you then install to the device and it's not pushing the address/group this is because it is not referenced in the Policy Package.
FMG is designed to keep unused objects in the FMG databases and should remove unused objects from the FGT CLI configuration to keep it clean.


If you created an object on the FMG under Policy & Objects, you must reference it in a Policy Package and then install to the device before you will see it show up on the FortiGate.


Always check the install preview before installing config to a FortiGate. It's your last chance to check that what you are about to install is what you actually want to install.


Mark.

sw2090
Honored Contributor

hm I ran into similar issues several times. I changed address objects (with or without per devicemapping) which ARE used in some policy in the policy package. I changed it in the FortiManager but when I wanted to roll the updated policy package out FMG stated there is nothing to deploy. It however did deploy the changes when I changed something else to make FMG deploy the packages. 

So looks to me that for some reason not every change seems to set the policy package out of sync...


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Debbie_FTNT
Staff
Staff

I may be a bit late to the party, but it looks to be a bit as if you have the following:

- a static address (the address has no per-device-mapping), at least per the screenshot you shared

- a possibly dynamic group? I could not see a screenshot for the actual group, just the individual address

-> that means the group could have per-device-mapping (have different members for various FortiGates)

-> I would double-check the group itself and see if per-device-mapping is enabled, and if that is the case then check the group members that are configured for the specific FortiGate/Policy Package you're looking at

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
TSC_JEFF

Thanks @Debbie_FTNT I just checked the group and indeed it uses Per Device mapping, I added the object there, pushed the policy and it reflected on the FGT,

 

Thanks guys for all the help. This is a good start for the week and I hope everyone is doing ok.

 

Jeff