Copying Policy Packages and Objects from one ADOM to another

AlexFeren · ‎10-14-2015

I have two ADOMs with different devices. I'd like to copy Policy Packages and Objects from 'Production_ADOM' to 'Staging_ADOM'.

I suppose I can add one of 'Staging_ADOM' devices to 'Production_ADOM', then install Policy Package and Objects defined in 'Production_ADOM', then add it back into 'Staging_ADOM', overwriting its Policy Package and Objects, and then installing these to other devices in the 'Staging_ADOM'.

However, I really don't wish to interfere with 'Production_ADOM'.

Is there another/smarter way? (I see command 'fmpolicy copy-adom-object' which seems like a candidate for copying Objects, but it's not well documented and also it also seems to function only one object instance at-a-time.)

scao_FTNT · ‎10-16-2015

'fmpolicy copy-adom-object' is for copy ADOM object to same ADOM device db

for your case, I think you can try " exec fmpolicy print-adom-database" and find out needed config to create a script, then run script for your new ADOM package

Thanks

Simon

AlexFeren · ‎10-18-2015

scao_FTNT wrote:
'fmpolicy copy-adom-object' is for copy ADOM object to same ADOM device db

Can you provide a use-case for this command?

scao_FTNT wrote:
for your case, I think you can try " exec fmpolicy print-adom-database" and find out needed config to create a script, then run script for your new ADOM package

Script won't update Policy Package - so, I'd need create script and then install it onto a device, then retrieve the device to overwrite existing Policy Package policies, and then install the Policy Package on other devices, correct? This doesn't follow the "FortiManager is master of configuration" methodology.

FortiManager has a exporting facilities, but seems to lack importing.

scao_FTNT · ‎10-18-2015

Can you provide a use-case for this command?

-- this CLI normally used for troubleshooting

Script won't update Policy Package

-- you can just run script for policy package / ADOM db

Thanks

Simon

AlexFeren · ‎10-18-2015

scao_FTNT wrote:
Script won't update Policy Package
-- you can just run script for policy package / ADOM db

This looks very handy - I missed it because it didn't seem to have a CLI equivalent - only

[ul]

(execute directly on) Device,

(execute directly on) Device Group,

against Device Database or

against Global Database.[/ul]

Why not against "Policy Package, ADOM Database" as in GUI?

scao_FTNT · ‎10-19-2015

Thanks for the update, I will review with dev team see if can improve the CLI to include run package for the script

Thanks

Simon

Copying Policy Packages and Objects from one ADOM to another

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website