I've configured a pair of FortiGate 81E firewalls into a HA cluster, and I use them to terminate a set of auto-detect IPSEC tunnels. To improve security, I use PKI to authenticate the tunnels, and I have configured the firewalls to download CRL updates using HTTP. The firewalls currently run FortiOS 5.6.5, and FortiManager is 6.0.2.
Unfortunately, when the firewalls update the CRL, it causes them to register as Out of Sync in FortiManager.
Is your Config Status or Policy Package Status going to "Out of Sync"?
Changes to the CRL should only affect Config Status. One possibility for Out of Sync status is your auto-update setting may be disabled. You can validate this by running the following CLI:
get system admin setting
Auto-update is disabled.
I assume, then, that there is no mechanism within FortiManager to ignore or auto-update only the CRLs; that the solution is to enable auto-update for all devices. That's fine, as I am the only person who manages the firewalls, though ideally there would be a way to ignore automatic, self-changing bits of configuration like that.
Well... I enabled auto-update, and FortiManager auto-updated the config, but then it set the root policy package status to Out of Sync, though there are no changes applied if I (re)install the policy package. Not ideal.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.