Hello,
Being new to the Fortinet ecosystem, I am not yet familiar with all the details of the FortiManager solution.
However, I have installed the FortiManager VM with a trial license to perform tests in preparation for future use with a full license.
I have two FortiGate 30G devices running the latest available firmware version for these models: 7.2.8.
They are properly "synchronized" with my FortiManager, but when I make a Policy modification and push the changes using "Re-install Policy," an error occurs.
In the "Preview" before the push, I can clearly see the test modification I made and only that modification. However, later in the "View Installation Log" file, new commands are added, which causes the error. The Policy does get successfully pushed, but this creates a configuration "conflict" with each push due to the additional commands/checks.
Starting log (Run on device)
Start installing
FortiGate-… $ config firewall policy
FortiGate-… (policy) $ edit 20
FortiGate-… (20) $ set name "DENY"
FortiGate-… (20) $ set uuid xxxxx
FortiGate-… (20) $ set srcintf "any"
FortiGate-… (20) $ set dstintf "any"
FortiGate-… (20) $ set srcaddr "all"
FortiGate-… (20) $ set dstaddr "all"
FortiGate-… (20) $ set schedule "always"
FortiGate-… (20) $ set service "ALL"
FortiGate-… (20) $ set logtraffic all
FortiGate-… (20) $ next
FortiGate-… (policy) $ end
---> generating verification report
(vdom x: log disk setting:status)
remote original: enable
to be installed:
(vdom x: firewall ssl-ssh-profile "custom-deep-inspection" ssh:status)
remote original:
to be installed: disable
(vdom x: vpn ssl settings:servercert)
remote original:
to be installed: ''
(vdom x: web-proxy global:proxy-fqdn)
remote original:
to be installed: "default.fqdn"
<--- done generating verification report
------- Start to retry --------
FortiGate-… $ config log disk setting
FortiGate-… (setting) $ unset status
FortiGate-… (setting) $ end
FortiGate-… $ config firewall ssl-ssh-profile
FortiGate-… (ssl-ssh-profile) $ edit "custom-deep-inspection"
FortiGate-… (custom-deep-insp~ion) $ config ssh
FortiGate-… (ssh) $ set status disable
FortiGate-… (ssh) $ end
FortiGate-… (custom-deep-insp~ion) $ next
FortiGate-… (ssl-ssh-profile) $ end
FortiGate-… $ config vpn ssl settings
FortiGate-… (settings) $ set servercert ''
FortiGate-… (settings) $ end
FortiGate-… $ config web-proxy global
FortiGate-… (global) $ set proxy-fqdn "default.fqdn"
FortiGate-… (global) $ end
---> generating verification report
(vdom x: log disk setting:status)
remote original: enable
to be installed:
(vdom x: firewall ssl-ssh-profile "custom-deep-inspection" ssh:status)
remote original:
to be installed: disable
(vdom x: vpn ssl settings:servercert)
remote original:
to be installed: ''
(vdom x: web-proxy global:proxy-fqdn)
remote original:
to be installed: "default.fqdn"
<--- done generating verification report
install failed
I have tried using an ADOM in version 7.2, 7.4, and 7.6. The issue persists, so it does not appear to be related to the ADOM. I considered a Template file, but no Template is being used, as I have not created any so far.
Could the issue be related to the trial license? A configuration issue with my FortiGate devices? Or with my FortiManager VM?
Thank you in advance,
Have a great day!
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello @NetLux
Do the config retrieve from Fortimanager for the Fortigate as per this https://docs.fortinet.com/document/fortimanager/6.4.0/examples/311736/retrieving-fortigate-device-co...
then do the install to see if there is error again.
first screenshot in this article: When a retrieve is not enough, it require... - Fortinet Community
Hello,
Thanks for your answer, but I knew that.
The "Retrieve Configuration" removes the configuration conflict created by the error during the push. But it does not solve the problem of generating an error at each push.
I especially wanted to find a solution to avoid the errors generated during the push: "Re-install Policy". And not have to do additional actions each time to get around the problem.
Thanks in advance
Based on the output from above, when you are trying to install the modified policy there are some changes which are present besides the policy rule with id 20.
Have you tried setting the actual values again before installing, since the push appears to disable/unset some settings and others are being set ?
I have tried several times to import the real values contained in the FortiGate 30G. Import that works well. But with each rule modification, the FortiManager tries to modify or verify something else that I have not modified (what happens after the ---> generating verification report).
Are the FortiGate 30G really manageable by FortiManager? Because in the additional commands that it performs automatically, some are not even recognized in CLI in the FortiGate 30G. And this even with an ADOM in 7.2 while the 30G are in 7.2.8 (maximum version).
What firmware version you running on FortiManager ?
I am on the latest Firmware in 7.6.2
Hi @NetLux
I have some questions and some recommendations:
1) Since your FGT 30G is running 7.2.8, please use it in one 7.2 FGT ADOM.
2) Do you have other FGTs in the same ADOM? If yes, do you share the same Policy Package with all the FGTs in this ADOM?
3) When you add an FGT into ADOM with many FGTs, usually in the Conflict Objects stage, what did you choose for them? "Use value from [FGT or FMG]"?
I guess you use the default option "Use value from FGT". This might be the reason for your issue. I am waiting for your answers to the above questions and will provide more suggestions.
Hi,
Thanks for your answer.
1) I used an ADOM in 7.2, it causes the same result.
2) In the ADOM in 7.2 I only have one FortiGate, because I wanted it to be functional before adding several
3) First of all I tried with the FGT values for fear that FortiManager had additional specifications that would not be in the 30G. And then when it did not work I deleted everything and started again by putting "FMG". The result is unfortunately the same.
If you have any other possible solution I am interested, but I have already tested many different things myself. Without conclusive results.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1841 | |
1128 | |
769 | |
447 | |
258 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.