We recently upgraded to FMG 5.6.6 and here are some issues experienced the resolution path I took. In my case, these were 150 FortiGates in a single ADOM, all running 5.6.5. Most HA, some not. Most with VDOMs, some not.
These were all "endless pushes" - FMG "successfully" pushed these changes down, but they never stuck and so FMG kept wantint to push them over and over again. The bigger issue we experienced, is that our FGTs running ADOMs would trip the Config Modified flag against the device (not a VDOM) after pushing policy changes. So you would push PP changes to a VDOM, then the device would show modified with these pending changes. And the only way to temporarily clear the flag was to do an Install Config - Install Wizard wouldn't clear the flag.
-------
Issue #1: Entrust CA certificate
FMG kept wanting to push down an apparently new Entrust CA certificate - the name of the certificate actually had Entrust in the name. I didn't save the config's it wanted to push, but it was tied in to FortiGuard. Issue is that the push showed successful, but FMG kept wanting to push it anyway. I couldn't find this certificate in FMG or on the affected FGTs.
Solution #1: Retrieve config from the FGT within FMG
Note #1: Possible related issue was length of cert name. I didn't count the characters, but it was pretty long. And I have seen issues with long certificate names before failing to push.
-------
-------
Issue #2: FortiAnalyzer upload settings
FMG kept wanting to change the FAZ upload settings. The FGT would have real-time set, but FMG would want to reset it to 5 minutes.
Solution #2: Within FMG, (re-)adjust your FAZ settings to what is desired. In my case, FGT locally showed real-time upload, but FMG had 5 minutes. I reset FMG for every firewall to be real-time and changes stuck.
-------
-------
Issue #3: FMG wanting to reset the admin-server-cert to Fortinet_Factory
Both FMG and FGT had the built-in Fortinet_Factory set for WebUI access. But FMG kept wanting to reset that setting. I couldn't find a certificate with that name in FMG, and if I tried to create it, it complained about a duplicate object. This was the biggest issue to solve.
Solution #3: We already had FortiAuth setup as an internal CA. So I created certs, uploaded locally to each firewall, and then within FMG told each firewall to use that cert under Admin Settings.
Note #3: I have seen issues like this in previous new releases of FMG. My hunch is that the Devs are working on adding actual/proper certificate management/storage capabilities into FMG, and this an interim code update towards that goal. They did the same thing back in early releases of FMG 5.4, when they moved local-in-policy from being a CLI-Only object to being handled by a Policy Package. There was an interim release where you couldn't manage LIPs at all from FMG.
-------
The Entrust CA certificate issue is likely due to the recent certificate bundle update via FortiGuard: http://kb.fortinet.com/kb...amp;externalId=FD43659
Looks like your issue is more a FortiGate one. Best to post in a FortiGate forum, perhaps "Routing and Transparent Mode".
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.