Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dujardind
New Contributor

Created on ‎12-22-2023 03:04 AM

FortiManager with Fortiswitch VLAN template overriding Fortigate Interface properties

Hello everybody,

 

We are using FortiManager 7.2 to manage FortiGate and FortiSwitch

Central-Management of switches is enabled with template.

 

In the FortiSwitch template, we use vlan object, in order to assign vlan to the ports of the switchs.

But we note than the vlan template object will override all the interface configuration in the Fortigate.

 

In our case, we are looking for a solution that does not impact the DHCP server on the interface.

For example, all our DHCP reservation (defined per Fortigate) are purged when installing the template...

 

Is there a mean to prevent interface modification on the Fortigate, and so just use VLAN object of Fortiswitch manager to assign vlan to fortiswitch ports ?

 

Best Regards

 

Labels:
497
0 Kudos
5 REPLIES 5
smkml
Staff
Staff

Created on ‎12-22-2023 08:42 AM

Hello @dujardind ,

 

Have you tried to import the switch template first before make any change on FortiSwitch Manager?

 

Import switch template.jpg

 

470
0 Kudos
dujardind
New Contributor
In response to smkml

Created on ‎12-22-2023 10:18 AM

Hello @smkml ,

 

In fact, we have a lot of Fortigate (and Fortiswitch) with the same template.

Each of them use the same template, including vlan name and tag.

 

We just have some IP set by CLI template and specific DHCP Reservation directly registered in the device database, different for each Fortigate.

 

So we don't want than the vlan template object be applied (as interface on Fortigate) each time a device installation is pushed from FortiManager.

 

458
0 Kudos
smkml
Staff
Staff
In response to dujardind

Created on ‎12-22-2023 10:42 AM

Hi @dujardind ,

 

Since you make the changes on device database, I would suggest that you disabled the FortiSwitch central-management.

 

disable fortiswitch central-mgmt.jpg

 

If central-management are enabled, your vlan related configuration need to change on the FortiSwitch Manager itself. Which is why it tried to purge your DHCP reservation config because the changes are in device database level. 

 

vlan config in fortiswitch template.jpg

455
dujardind
New Contributor
In response to smkml

Created on ‎12-22-2023 04:05 PM

Thanks for your reply @smkml

 

We realy need central management by template because we have hundreds of switches to configure. It's not a good idea to do that without central templating..

 

I'm trying to find a workaround for DHCP in 3 steps

1- Reaffect my DHCP Server to another interface

2- Apply VLAN template from Fortiswitch without DHCP Server

3- Reaffect DHCP Server to the original interface (same as VLAN template)

 

I find a way to to the third step with the CLI template, that is applied after the Fortiswitch template.

But, for the first step, I'm looking for a way to apply another CLI template or any other script before the Fortiswitch template

 

I hope somebody have an idea about that

434
0 Kudos
smkml
Staff
Staff
In response to dujardind

Created on ‎12-22-2023 08:53 PM

Hi @dujardind ,

 

Then, I would suggest that you make the changes on the FortiSwitch Template itself to reflect on ADOM level instead of device database level.

 

Another option is, to use a Script instead of CLI template to run it one time to multiple devices.

 

run script to fgt directly.jpg

 

You may check below document for various example for the CLI scripts:

https://docs.fortinet.com/document/fortimanager/7.2.4/administration-guide/71780/cli-scripts 

421
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.