Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NetLux
New Contributor

FortiManager push policies on FortiGate 30G with Trial License

Hello,

 

Being new to the Fortinet ecosystem, I am not yet familiar with all the details of the FortiManager solution.

 

However, I have installed the FortiManager VM with a trial license to perform tests in preparation for future use with a full license.
I have two FortiGate 30G devices running the latest available firmware version for these models: 7.2.8.

They are properly "synchronized" with my FortiManager, but when I make a Policy modification and push the changes using "Re-install Policy," an error occurs.

In the "Preview" before the push, I can clearly see the test modification I made and only that modification. However, later in the "View Installation Log" file, new commands are added, which causes the error. The Policy does get successfully pushed, but this creates a configuration "conflict" with each push due to the additional commands/checks.

 

Starting log (Run on device)


Start installing
FortiGate-… $  config firewall policy
FortiGate-… (policy) $  edit 20
FortiGate-… (20) $  set name "DENY"
FortiGate-… (20) $  set uuid xxxxx
FortiGate-… (20) $  set srcintf "any"
FortiGate-… (20) $  set dstintf "any"
FortiGate-… (20) $  set srcaddr "all"
FortiGate-… (20) $  set dstaddr "all"
FortiGate-… (20) $  set schedule "always"
FortiGate-… (20) $  set service "ALL"
FortiGate-… (20) $  set logtraffic all
FortiGate-… (20) $  next
FortiGate-… (policy) $  end

---> generating verification report
(vdom x: log disk setting:status)
	remote original: enable
	to be installed: 

(vdom x: firewall ssl-ssh-profile "custom-deep-inspection" ssh:status)
	remote original: 
	to be installed: disable

(vdom x: vpn ssl settings:servercert)
	remote original: 
	to be installed: ''

(vdom x: web-proxy global:proxy-fqdn)
	remote original: 
	to be installed: "default.fqdn"

<--- done generating verification report



------- Start to retry --------

FortiGate-… $  config log disk setting
FortiGate-… (setting) $  unset status
FortiGate-… (setting) $  end
FortiGate-… $  config firewall ssl-ssh-profile
FortiGate-… (ssl-ssh-profile) $  edit "custom-deep-inspection"
FortiGate-… (custom-deep-insp~ion) $  config ssh
FortiGate-… (ssh) $  set status disable
FortiGate-… (ssh) $  end
FortiGate-… (custom-deep-insp~ion) $  next
FortiGate-… (ssl-ssh-profile) $  end
FortiGate-… $  config vpn ssl settings
FortiGate-… (settings) $  set servercert ''
FortiGate-… (settings) $  end
FortiGate-… $  config web-proxy global
FortiGate-… (global) $  set proxy-fqdn "default.fqdn"
FortiGate-… (global) $  end


---> generating verification report
(vdom x: log disk setting:status)
	remote original: enable
	to be installed: 

(vdom x: firewall ssl-ssh-profile "custom-deep-inspection" ssh:status)
	remote original: 
	to be installed: disable

(vdom x: vpn ssl settings:servercert)
	remote original: 
	to be installed: ''

(vdom x: web-proxy global:proxy-fqdn)
	remote original: 
	to be installed: "default.fqdn"

<--- done generating verification report


install failed

 

I have tried using an ADOM in version 7.2, 7.4, and 7.6. The issue persists, so it does not appear to be related to the ADOM. I considered a Template file, but no Template is being used, as I have not created any so far.

 

Could the issue be related to the trial license? A configuration issue with my FortiGate devices? Or with my FortiManager VM?

 

Thank you in advance,
Have a great day!

13 REPLIES 13
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
asrour
Staff
Staff

Hello @NetLux 

 

Do the config retrieve from Fortimanager for the Fortigate as per this https://docs.fortinet.com/document/fortimanager/6.4.0/examples/311736/retrieving-fortigate-device-co...

then do the install to see if there is error again.

 

first screenshot in this article: When a retrieve is not enough, it require... - Fortinet Community

A Srour
NetLux
New Contributor

Hello,

Thanks for your answer, but I knew that.

The "Retrieve Configuration" removes the configuration conflict created by the error during the push. But it does not solve the problem of generating an error at each push.

I especially wanted to find a solution to avoid the errors generated during the push: "Re-install Policy". And not have to do additional actions each time to get around the problem.

 

Thanks in advance

funkylicious
SuperUser
SuperUser

Based on the output from above, when you are trying to install the modified policy there are some changes which are present besides the policy rule with id 20.

Have you tried setting the actual values again before installing, since the push appears to disable/unset some settings and others are being set ?

"jack of all trades, master of none"
"jack of all trades, master of none"
NetLux

I have tried several times to import the real values ​​contained in the FortiGate 30G. Import that works well. But with each rule modification, the FortiManager tries to modify or verify something else that I have not modified (what happens after the ---> generating verification report).
Are the FortiGate 30G really manageable by FortiManager?
Because in the additional commands that it performs automatically, some are not even recognized in CLI in the FortiGate 30G. And this even with an ADOM in 7.2 while the 30G are in 7.2.8 (maximum version).

funkylicious

What firmware version you running on FortiManager ?

"jack of all trades, master of none"
"jack of all trades, master of none"
NetLux

I am on the latest Firmware in 7.6.2

dingjerry_FTNT

Hi @NetLux 

 

I have some questions and some recommendations:

 

1) Since your FGT 30G is running 7.2.8, please use it in one 7.2 FGT ADOM.

2) Do you have other FGTs in the same ADOM?  If yes, do you share the same Policy Package with all the FGTs in this ADOM?

3) When you add an FGT into ADOM with many FGTs, usually in the Conflict Objects stage, what did you choose for them?  "Use value from [FGT or FMG]"? 

 

I guess you use the default option "Use value from FGT".  This might be the reason for your issue.  I am waiting for your answers to the above questions and will provide more suggestions. 

Regards,

Jerry
NetLux

Hi,

Thanks for your answer.

1) I used an ADOM in 7.2, it causes the same result.

2) In the ADOM in 7.2 I only have one FortiGate, because I wanted it to be functional before adding several

3) First of all I tried with the FGT values ​​for fear that FortiManager had additional specifications that would not be in the 30G. And then when it did not work I deleted everything and started again by putting "FMG". The result is unfortunately the same.

If you have any other possible solution I am interested, but I have already tested many different things myself. Without conclusive results.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors