I've configured a pair of FortiGate 81E firewalls into a HA cluster, and I use them to terminate a set of auto-detect IPSEC tunnels. To improve security, I use PKI to authenticate the tunnels, and I have configured the firewalls to download CRL updates using HTTP. The firewalls currently run FortiOS 5.6.5, and FortiManager is 6.0.2.
Unfortunately, when the firewalls update the CRL, it causes them to register as Out of Sync in FortiManager.
Is there a way to prevent this?
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is your Config Status or Policy Package Status going to "Out of Sync"?
Changes to the CRL should only affect Config Status. One possibility for Out of Sync status is your auto-update setting may be disabled. You can validate this by running the following CLI:
get system admin setting
teddyko wrote:Is your Config Status or Policy Package Status going to "Out of Sync"?
Config Status.
teddyko wrote:Changes to the CRL should only affect Config Status. One possibility for Out of Sync status is your auto-update setting may be disabled. You can validate this by running the following CLI:
get system admin setting
Auto-update is disabled.
I assume, then, that there is no mechanism within FortiManager to ignore or auto-update only the CRLs; that the solution is to enable auto-update for all devices. That's fine, as I am the only person who manages the firewalls, though ideally there would be a way to ignore automatic, self-changing bits of configuration like that.
Thank you.
Well... I enabled auto-update, and FortiManager auto-updated the config, but then it set the root policy package status to Out of Sync, though there are no changes applied if I (re)install the policy package. Not ideal.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1502 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.