Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gwaihir
New Contributor III

FAZ integration with FMG for Playbooks

Hello,

 

Please help me with this case scenario, the FAZ is running playbooks who run Ban_IP on Fortigates, then FortiManager shows them in conflict (because the IP is also created as an object for using it in firewall policies).

 

The solution is that FAZ must create the objects on FortiManager directly, how I can achieve this?

 

FAZ manage all fortigate devices in security fabric environment.

FMG mange all fortigate for policy and settings 

 

Thank you!

3 REPLIES 3
jasonhong
Staff
Staff

Hi,

 

Unfortunately, FMG is not listed as a valid connector for FMG. Hence, you will have to manually create the objects in the local FMG as playbooks cannot be ran against FMG from FAZ.

 

https://docs.fortinet.com/document/fortianalyzer/7.2.4/administration-guide/768287/connectors

vraev
Staff
Staff

Hi @gwaihir ,

The FGT will update normally the latest changes to the FortiManager.

Just the Import is a manual process.

To Retrieve (screenshot is provided):

Device Manager - > Managed Devices - > Double click the FortiGate - > Dashboard - > Summary - > 'Configuration and Installation' widget - > Revision - > select the menu icon - > Retrieve

To retrieve via CLI:

diagnose dvm device list <-search the OID near the SN
diagnose test deploymanager reloadconf <OID>

If there are changes also made in the configuration then the Import will be needed.
https://community.fortinet.com/t5/FortiManager/Technical-Tip-Configuration-import-from-the-device-to...

Eventually, you can test this API call under FMG:

{
"method": "exec",
"params": [
{
"data": {
"add_mappings": "disable",
"adom": "string",
"dst_name": "string",
"dst_parent": "string",
"if_all_objs": "none",
"if_all_policy": "disable",
"import_action": "do",
"name": "string",
"position": "top",
"vdom": "string"
},
"url": "/securityconsole/import/dev/objs"
}
],
"session": "string",
"id": 1
}

V.R.
gwaihir
New Contributor III

Hi @vraev thank you for your reply.

 

As you know auto sync devices conf, doesn't update adom database, so the address objects used in firewall policies are outdated, because faz modify directly the address on each fortigate member of fabric. (as a result of fabric object syn feature).

 

So when install policy is performed on Manager, it deletes the recent address that FAZ creates.

 

What would be the best thing to do here? I mean, the FAZ could trigger an API request to manager through Fortigate script for update the new objects created? (Because the first answer is clear there is no connection between FAZ and FMG.)

 

Thank you, I appreciate your help.

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors