Hello,
Please help me with this case scenario, the FAZ is running playbooks who run Ban_IP on Fortigates, then FortiManager shows them in conflict (because the IP is also created as an object for using it in firewall policies).
The solution is that FAZ must create the objects on FortiManager directly, how I can achieve this?
FAZ manage all fortigate devices in security fabric environment.
FMG mange all fortigate for policy and settings
Thank you!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Unfortunately, FMG is not listed as a valid connector for FMG. Hence, you will have to manually create the objects in the local FMG as playbooks cannot be ran against FMG from FAZ.
https://docs.fortinet.com/document/fortianalyzer/7.2.4/administration-guide/768287/connectors
Hi @gwaihir ,
The FGT will update normally the latest changes to the FortiManager.
Just the Import is a manual process.
To Retrieve (screenshot is provided):
Device Manager - > Managed Devices - > Double click the FortiGate - > Dashboard - > Summary - > 'Configuration and Installation' widget - > Revision - > select the menu icon - > Retrieve
To retrieve via CLI:
diagnose dvm device list <-search the OID near the SN
diagnose test deploymanager reloadconf <OID>
If there are changes also made in the configuration then the Import will be needed.
https://community.fortinet.com/t5/FortiManager/Technical-Tip-Configuration-import-from-the-device-to...
Eventually, you can test this API call under FMG:
{
"method": "exec",
"params": [
{
"data": {
"add_mappings": "disable",
"adom": "string",
"dst_name": "string",
"dst_parent": "string",
"if_all_objs": "none",
"if_all_policy": "disable",
"import_action": "do",
"name": "string",
"position": "top",
"vdom": "string"
},
"url": "/securityconsole/import/dev/objs"
}
],
"session": "string",
"id": 1
}
Hi @vraev thank you for your reply.
As you know auto sync devices conf, doesn't update adom database, so the address objects used in firewall policies are outdated, because faz modify directly the address on each fortigate member of fabric. (as a result of fabric object syn feature).
So when install policy is performed on Manager, it deletes the recent address that FAZ creates.
What would be the best thing to do here? I mean, the FAZ could trigger an API request to manager through Fortigate script for update the new objects created? (Because the first answer is clear there is no connection between FAZ and FMG.)
Thank you, I appreciate your help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
229 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.