Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Katoomba
New Contributor II

FortiManager - global objects prefixed with 'g' - other options?

The Fortinet chosen naming convention for objects created in the global ADOM uses a single letter 'g' prefix. Fortinet documentation says that you should not create objects in ADOMs that begin with letter 'g' or else conflicts can occur with the global ADOM objects. This would preclude the use of address objects named 'google', 'gmail', 'greatscot', and on and on. So it would seem that the choice of using a prefix 'g' is very limiting.

 

Why did Fortinet choose this naming method?

Are there any ways to relax this rule to allow other prefix characters or strings?

Would it be better to provide an option to use a different prefix, such as an underscore, or even a user configurable character?

Would it be even better if a user configurable string could be used? Such as, 'global_', '_glbl_', 'g_', or some other user chosen string?

Katoomba
Katoomba
1 Solution
chall_FTNT
Staff
Staff

The restriction is actually on firewall objects whose names are prefixed with 'g-' i.e., the letter g PLUS a dash.

1. These are reserved by FMG for objects at global ADOM level.  
2. This naming convention is also adopted by FortiGates when using global scope objects on FortiGates with multiple VDOMs enabled.  Until the most recent FMG firmware, FortiManager didn't support such objects retrieved from FortiGate.  The rationalle was that global scope objects are not needed on FortiGates managed by FortiManager.  However, support for such global scope objects was added in FMG 7.2.2.


Chris Hall
Fortinet Technical Support

View solution in original post

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello Katoomba,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
sw2090
Honored Contributor

as far as I can say after some years of usig global objects in FMG: I don't think the letter "g" on its own would produce any conflicts. You will though get into trouble if a global object has the exact same name as a non global one in your adom. In this case the assignment in global adom will fail.

 

I ran into this several times during migrating objects from adom into global ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Katoomba
New Contributor II

Hi sw2090,

You bring up a good point. It is potentially confusing to be confronted with objects named with the 'g' prefix because you don't immediately know if they're ADOM or global objects.

My work around is probably going to be naming global objects with "lbl_" prefix and let Fortimanager push the "g" onto the front so that all global objects become "glbl_<xxxx>".

Katoomba
Katoomba
chall_FTNT
Staff
Staff

The restriction is actually on firewall objects whose names are prefixed with 'g-' i.e., the letter g PLUS a dash.

1. These are reserved by FMG for objects at global ADOM level.  
2. This naming convention is also adopted by FortiGates when using global scope objects on FortiGates with multiple VDOMs enabled.  Until the most recent FMG firmware, FortiManager didn't support such objects retrieved from FortiGate.  The rationalle was that global scope objects are not needed on FortiGates managed by FortiManager.  However, support for such global scope objects was added in FMG 7.2.2.


Chris Hall
Fortinet Technical Support
Katoomba
New Contributor II

Thanks for that detail, Chris. Very much appreciated. The use of "g-" (g followed by a dash) makes it much less likely that collisions will happen with user naming conventions.

Katoomba
Katoomba
Top Kudoed Authors