Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- FortiManager push policies on FortiGate 30G with T...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiManager push policies on FortiGate 30G with Trial License
Hello,
Being new to the Fortinet ecosystem, I am not yet familiar with all the details of the FortiManager solution.
However, I have installed the FortiManager VM with a trial license to perform tests in preparation for future use with a full license.
I have two FortiGate 30G devices running the latest available firmware version for these models: 7.2.8.
They are properly "synchronized" with my FortiManager, but when I make a Policy modification and push the changes using "Re-install Policy," an error occurs.
In the "Preview" before the push, I can clearly see the test modification I made and only that modification. However, later in the "View Installation Log" file, new commands are added, which causes the error. The Policy does get successfully pushed, but this creates a configuration "conflict" with each push due to the additional commands/checks.
Starting log (Run on device)
Start installing
FortiGate-… $ config firewall policy
FortiGate-… (policy) $ edit 20
FortiGate-… (20) $ set name "DENY"
FortiGate-… (20) $ set uuid xxxxx
FortiGate-… (20) $ set srcintf "any"
FortiGate-… (20) $ set dstintf "any"
FortiGate-… (20) $ set srcaddr "all"
FortiGate-… (20) $ set dstaddr "all"
FortiGate-… (20) $ set schedule "always"
FortiGate-… (20) $ set service "ALL"
FortiGate-… (20) $ set logtraffic all
FortiGate-… (20) $ next
FortiGate-… (policy) $ end
---> generating verification report
(vdom x: log disk setting:status)
remote original: enable
to be installed:
(vdom x: firewall ssl-ssh-profile "custom-deep-inspection" ssh:status)
remote original:
to be installed: disable
(vdom x: vpn ssl settings:servercert)
remote original:
to be installed: ''
(vdom x: web-proxy global:proxy-fqdn)
remote original:
to be installed: "default.fqdn"
<--- done generating verification report
------- Start to retry --------
FortiGate-… $ config log disk setting
FortiGate-… (setting) $ unset status
FortiGate-… (setting) $ end
FortiGate-… $ config firewall ssl-ssh-profile
FortiGate-… (ssl-ssh-profile) $ edit "custom-deep-inspection"
FortiGate-… (custom-deep-insp~ion) $ config ssh
FortiGate-… (ssh) $ set status disable
FortiGate-… (ssh) $ end
FortiGate-… (custom-deep-insp~ion) $ next
FortiGate-… (ssl-ssh-profile) $ end
FortiGate-… $ config vpn ssl settings
FortiGate-… (settings) $ set servercert ''
FortiGate-… (settings) $ end
FortiGate-… $ config web-proxy global
FortiGate-… (global) $ set proxy-fqdn "default.fqdn"
FortiGate-… (global) $ end
---> generating verification report
(vdom x: log disk setting:status)
remote original: enable
to be installed:
(vdom x: firewall ssl-ssh-profile "custom-deep-inspection" ssh:status)
remote original:
to be installed: disable
(vdom x: vpn ssl settings:servercert)
remote original:
to be installed: ''
(vdom x: web-proxy global:proxy-fqdn)
remote original:
to be installed: "default.fqdn"
<--- done generating verification report
install failed
I have tried using an ADOM in version 7.2, 7.4, and 7.6. The issue persists, so it does not appear to be related to the ADOM. I considered a Template file, but no Template is being used, as I have not created any so far.
Could the issue be related to the trial license? A configuration issue with my FortiGate devices? Or with my FortiManager VM?
Thank you in advance,
Have a great day!
Labels:
- Labels:
-
FortiGate
-
FortiManager
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Created on 01-24-2025 07:54 AM Edited on 01-24-2025 07:55 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, more questions:
1) Please keep using ADOM 7.2 version.
2) When you added the FGT 30G, did you import the configuration from the FGT? I hope that you have firewall policies configured on the FGT already.
3) If yes, and since this is the only FGT in this ADOM, on the Conflict Object page while Importing, please select "FGT", not "FMG".
4) Once Import is done, are the Config Status and PP (Policy Package) Status in sync?
5) If yes, try to Push PP and Config settings, are you able to push it?
6) If yes, make some minor changes, such as add a comment/notes in one firewall policy, then Push it again to see whether you still have this issue or not.
7) When you Push, use "Install Wizard". It will give you the chance to pause/stop/cancel and review the Install Preview. Save/Download the Install Preview and if you still have the issue, provide it.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I followed the different steps you gave me, even though I had already tested them:
- An adom in 7.2
- Imported the configuration and policies by selecting "FGT" in the conflicts.
- Yes, I already have policies on the FortiGate 30G
I made an "Install Wizard" instead of "Re-install Policy" and it gave me approximately the same results by adding only one comment. I first checked in the install preview that there is only what I modified. Which was the case:
=== Preview result ===
config firewall policy
edit 8
set comments "Add 1 comment test"
next
end
And so I launched the push, which led to the same error unfortunately:
Starting log (Run on device)
Start installing
FortiGate-X $ config firewall policy
FortiGate-X (policy) $ edit 8
FortiGate-X (8) $ set comments "Add 1 comment test"
FortiGate-X (8) $ next
FortiGate-X (policy) $ end
---> generating verification report
(vdom root: log disk setting:status)
remote original: enable
to be installed:
(vdom root: firewall ssl-ssh-profile "Test" ssh:status)
remote original:
to be installed: disable
(vdom root: firewall ssl-ssh-profile "custom-deep-inspection" ssh:status)
remote original:
to be installed: disable
(vdom root: vpn ssl settings:servercert)
remote original:
to be installed: ''
(vdom root: web-proxy global:proxy-fqdn)
remote original:
to be installed: "default.fqdn"
<--- done generating verification report
------- Start to retry --------
FortiGate-X $ config log disk setting
FortiGate-X (setting) $ unset status
FortiGate-X (setting) $ end
FortiGate-X $ config firewall ssl-ssh-profile
FortiGate-X (ssl-ssh-profile) $ edit "Test"
FortiGate-X (Test) $ config ssh
FortiGate-X (ssh) $ set status disable
FortiGate-X (ssh) $ end
FortiGate-X (Test) $ next
FortiGate-X (ssl-ssh-profile) $ edit "custom-deep-inspection"
FortiGate-X (custom-deep-insp~ion) $ config ssh
FortiGate-X (ssh) $ set status disable
FortiGate-X (ssh) $ end
FortiGate-X (custom-deep-insp~ion) $ next
FortiGate-X (ssl-ssh-profile) $ end
FortiGate-X $ config vpn ssl settings
FortiGate-X (settings) $ set servercert ''
FortiGate-X (settings) $ end
FortiGate-X $ config web-proxy global
FortiGate-X (global) $ set proxy-fqdn "default.fqdn"
FortiGate-X (global) $ end
---> generating verification report
(vdom root: log disk setting:status)
remote original: enable
to be installed:
(vdom root: firewall ssl-ssh-profile "Test" ssh:status)
remote original:
to be installed: disable
(vdom root: firewall ssl-ssh-profile "custom-deep-inspection" ssh:status)
remote original:
to be installed: disable
(vdom root: vpn ssl settings:servercert)
remote original:
to be installed: ''
(vdom root: web-proxy global:proxy-fqdn)
remote original:
to be installed: "default.fqdn"
<--- done generating verification report
install failed
As answered above, doing a "Retrieve configuration" solves the situation. And removes the "Conflict" generated by the push error.
But on a global push on a large firewall fleet in the future, this will be anything but practical ... The solution would therefore be to find out why this causes this.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @NetLux ,
1) Do you have any system template associated with this FGT while adding it into ADOM?
2) Do you apply Global DB to this FGT/ADOM?
3) Actually, when this issue happened, you could run some commands on FGT directly to collect some outputs. But since you ran Retrieve already, we may have lost the chance.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dingjerry_FTNT ,
1) I don't have a system template that I created for this firewall in this ADOM.
2) No I did not assign the Global DB
The FortiGate 30G being the lowest model offered in FortiGate. I wonder if it is not because of this..
- « Previous
-
- 1
- 2
- Next »
Labels
-
FortiGate
10,541 -
FortiClient
2,142 -
FortiManager
888 -
5.2
687 -
FortiAnalyzer
676 -
5.4
638 -
FortiSwitch
581 -
FortiAP
559 -
FortiClient EMS
555 -
IPsec
417 -
6.0
416 -
SSL-VPN
374 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
170 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
FortiGate-VM
129 -
6.4
128 -
FortiCloud Products
116 -
FortiSIEM
113 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
Routing
75 -
ZTNA
75 -
SAML
71 -
DNS
71 -
Fortivoice
70 -
VLAN
70 -
FortiEDR
68 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
API
25 -
SSID
25 -
Static route
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiDeceptor
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2568 | |
| 1358 | |
| 796 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.