Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
romohite8
New Contributor

Created on ‎06-21-2023 12:24 AM

Enable to find address group used in IPSec VPN on FortiManager

Hello,

Our newly deployed Fortigate firewalls at our DC, which are managed via FortiManager. At the time of deployment we created a tunnel with one of our offices. Now I want to modify the Local Address on the Fortigate firewall. When search in Policy & Objects tab on FortiManager for the address group used as Local Address in the IPSec tunnel, I cannot find that address group. 

However when I login to firewalls directly, i can find that address group. I cannot (should not) be making changes directly on Firewall as these changes will be wiped out upon next policy push from FortiManager. 

 

So how do I find the address group in FortiManager which is used as Local Address in IPSec VPN configuration so that i can edit it. 

 

Thanks.

Labels:
1088
0 Kudos
8 REPLIES 8
Anthony_E
Community Manager
Community Manager

Created on ‎06-24-2023 09:22 AM

Hello ,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
1047
0 Kudos
mgoswami
Staff
Staff

Created on ‎06-25-2023 11:50 PM

Hi,

 

May I know the firmware version of your Fortigate and the Fortimanager?

Are you able to view the other address groups from the FortiGate imported?

How many member does the address object group has with which you are facing the issue?

 

BR,

Manosh

1021
romohite8
New Contributor

Created on ‎06-26-2023 12:30 AM

Hi Manosh, 

Fortigate is running on firmware - 7.0.12 build 0523
FortiManager is running on firmware - v7.4.0-build2223 230514 (GA)

 

Yes, i can see all the objects migrated to Fortigate. As a matter of fact, I am able to see & edit this address-group in question when i login to Fortigate UI, but cannot see it on FortiManager UI.

 

There are 6 objects currently in that address-group. Something that i noticed is - this address group is called as 'Local Subnets for VPN' and it seems to be part of other VPN as well (other VPN is to other location).

I don't think there is option of recreating this object group with new set of IPs and add it back to VPN. 

998
0 Kudos
knagaraju
Staff
Staff

Created on ‎06-26-2023 02:05 AM Edited on ‎06-26-2023 02:07 AM

Hi romohite8,
As I understand the address group has been created under "Policy & Objects >> Objects Configuration >> Firewall Objects >> Address". Please correct me if I am wrong.
Check if the tunnel configuration under VPN manager has this address group displayed on the GUI.
Are the device showing the policy package in sync on FMG?



1008
romohite8
New Contributor

Created on ‎06-26-2023 02:07 AM

Hi,

Fortigate is running on firmware - 7.0.12 build 0523
FortiManager is running on firmware - v7.4.0-build2223 230514 (GA)

 

Yes, i am able to view other objects/address-group which were migrated. The address-group in question is called as "Local Subnets for VPN" which is getting called in all the VPN tunnels. 

 

This address-group 6/7 objects in it.

998
0 Kudos
knagaraju
Staff
Staff

Created on ‎06-26-2023 02:09 AM

Run the installation wizard and chose the correct policy package. But we don't want to install at the last step. We need to check the installation preview and download it then cancel the installation, so we can see what the FMG will install.

if it's missing from FMG and VPN manager then we can re-create it on FMG using script on policy package after copying the configuration from FGT CLI, then make sure to attached to the VPN manager configuration.
Maybe the event logs of FMG, it shows it has been deleted.
Also, check the address group name is showing in the event logs by filtering the message field using "*address_name*"
Regards
Nagaraju.

1004
0 Kudos
romohite8
New Contributor
In response to knagaraju

Created on ‎06-29-2023 12:54 AM

I tried what you suggested - "Run the installation wizard and chose the correct policy package. But we don't want to install at the last step. We need to check the installation preview and download it then cancel the installation, so we can see what the FMG will install."

I get green check marks for these - 

Interface Validation
Policy and Object Validation
Nothing to install (Package maybe synchronized).
 
install wizard.jpg
942
0 Kudos
JettBrandon
New Contributor

Created on ‎06-27-2023 08:08 AM Edited on ‎07-03-2023 05:48 AM

We have recently deployed FortiGate firewalls in our network and are managing them through FortiManager. However, I'm unable to find an address group that is used as a Local Address in an IPSec VPN configuration. When I search for the address group in the Policy & Objects tab on FortiManager, it doesn't appear. Strangely, when I directly log in to the firewalls, I can locate the address group. Since making changes directly on the firewall is not recommended, I need to find a way to access and modify the address group through FortiManager. Regards

978
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.