Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
topcu
New Contributor II

diagnose cdb check policy-packages

Hello,

 

the upgrade procedure for FortiManager recommends before and after performing an upgrade, to check various outputs. So it recommends to check the integrity of the policy packages with the "diagnose cdb check policy-packages" command and gives two example outputs, one without and one with errors (see below). In the case of an error, the CLI asks to make changes to the database y/n, but the document does not say, if those changes should be confirmed, or not, or in which cases it should.

 

FortiManager Upgrade Guide - FortiManager Upgrade Guide

Check the integrity of the policy packages by using the following command: diagnose cdb check policy-packages. Example 1 with error: FMG-VM64 # diagnose cdb check policy-packages Adom VPNConsole [1/4] Checking Scope ... correct [2/4] Checking Dynamic mappings ... 2 change(s) will be made [3/4] Checking Policy package settings ... correct [4/4] Checking Undeleted objs ... correct Adom root [1/4] Checking Scope ... correct [2/4] Checking Dynamic mappings ... correct [3/4] Checking Policy package settings ... correct [4/4] Checking Undeleted objs ... correct The above change(s) will be made to the database, however it is recommended to perform a backup first. [style="background-color: #ffff00;"]Do you want to continue? (y/n)[/style]

On my upgrade, I had some of those errors, but because I was unsure, I didn't confirm the change. After the upgrade, the output states some missing objects, and I'm asked again, to make the changes to the database

 

Befor Upgrade (changes not done to the DB)

[…]

Adom root         [1/5] Checking Scope                     ... 28 change(s) will be made         [2/5] Checking Dynamic mappings          ... 7 change(s) will be made         [3/5] Checking Policy package settings   ... correct         [4/5] Checking Undeleted objs            ... 7 change(s) will be made         [5/5] Checking Controller package status ... correct

[...]

After Upgrade (shoud they made to the DB?)

[…]

Adom root

        [1/5] Checking Scope                     ... 28 change(s) will be made

        [2/5] Checking Dynamic mappings          ... 7 change(s) will be made

        [3/5] Checking Policy package settings   ... correct

        [4/5] Checking Undeleted objs            ...

                firewall policy: policyid [1337] is not found in node table

                firewall policy: policyid [1339] is not found in node table

                firewall policy: policyid [1342] is not found in node table

                firewall policy: policyid [1547] is not found in node table

                firewall policy: policyid [1550] is not found in node table

                firewall policy: policyid [1592] is not found in node table

                firewall policy: policyid [1660] is not found in node table

        7 change(s) will be made

        [5/5] Checking Controller package status ... correct

[…]

 

Shoud those changes always be done to the DB or only in some cases?

 

Many thanks in advance

Best regards

 

Hakan

0 REPLIES 0