Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jamaykans
New Contributor

CFG-Save Revert & FortiManager

I have a situation where I'm about to import several deployed Fortigates into Fortimanager (cloud) so we can centrally manage them. Most of these Fortigates have specific device settings including "cfg-save revert" enabled. They were configured that way because they are in remote locations and "revert" acted as a fail-safe in case someone goofed-up a setting.

Is it good practice to continue using "cfg-save revert" when the Fortigates are centrally managed through Fortimanager? If so, what's the best way to actually commit changes to devices after a push has been made through Fortimanger? Right now our admins are used to Fortigate GUI indicating a change has been made, and clicking on "Save" (7.0.9). Is there any kind of reminder or indicator in FortiManager to commit saved changes?

Thanks!

https://19216811.cam/ https://1921681001.id/
2 REPLIES 2
gfleming
Staff
Staff

FortiManager has its own failsafes built-in. If a remote FortiGate is configured by FortiManager (config push) and subsequently loses its connection back to FortiManager, the FortiGate will revert back.

 

https://docs.fortinet.com/document/fortimanager/6.4.0/fortigate-fortimanager-communications-protocol...

Cheers,
Graham
Debbie_FTNT
Staff
Staff

In addition to Graham's comment:

- the cfg-save setting shouldn't really matter; it applies to changes made to FortiGate via CLI, and ideally with a FortiManager all changes should be made from the manager and NOT locally on the FortiGate, as that would cause it to go out of sync with FortiManager

-> if you anticipate some changes will still be made on FortiGate directly, then by all means leave the setting in place

- Configuration changes on FortiManager are NOT automatically pushed to FortiGate; they need to be manually saved, and then the package can be pushed (installed) to FortiGate

- FortiManager has its own failsaves as Graham mentioned - if the connection between FortiGate and FortiManager goes down during a policy push, and doesn't restore in a given timeframe, the FortiGate aborts any changes made by FortiManager
- if the connection remains up between FortiManager and FortiGate and there are no errors, changes are automatically committed by FortiGate (the cfg-save setting has no impact on this)
-> if there are errors, all configuration except the bits causing the error are committed, and FortiManager can display a dialogue with the errors encountered during a policy push

- FortiManager retains a revision history automatically; each successful policy push creates a new revision of that FortiGate's configuration
-> https://docs.fortinet.com/document/fortimanager/6.0.7/administration-guide/26761/managing-configurat...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Labels
Top Kudoed Authors