Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Uwe_Sommerfeld
New Contributor

Fortimanager 5.0.7 dynamic address objects

Hi there just upgraded to 5.0.7. Dynamic objects now went into the object edit pane. Nice one! But it seems I cannot add any dynamic subnets in addresses. the OK button just does nothing and the change is not applied. I could track that down to the " /" not being accepted. IP ranges (a.b.c.d-a.b.c.e) works fine but looks terrible in the object table. Anybody with the same experience?
5 REPLIES 5
Carl_Wallmark
Valued Contributor

no, but I have found some other issues, here is two: 1. If your ADOM is in FortiOS 4.3, you have the option of send logs in realtime via the advanced menu, but that does not exist on the fortigate, so it fails and will fail until you delete and re-import the fortigate. 2. You can configure RBL servers under spamfilter under the advanced menu, but here is no way to add the list to a spamfilter profile, and if its not in use the fortimanager will not push it to the fortgate...Catch 22. I have also found some other minor issues...

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Sean_Toomey_FTNT

ORIGINAL: Selective 2. You can configure RBL servers under spamfilter under the advanced menu, but here is no way to add the list to a spamfilter profile, and if its not in use the fortimanager will not push it to the fortgate...Catch 22.
Hi Selective, sorry to hear about your issue. In general if you cannot find a way to configure policy/object config in FortiManager via the GUI or advanced options, it is possible to do so using Scripting. First ensure you are on latest version of FortiManager. Go to System Settings -> Admin Settings -> Show Script, and enable it. Then go to Device Managed / Devices & Groups tab, and go to Script and create a new CLI Script Paste in the RBL config that you want to use in CLI form which you could get from a FortiGate you have preconfigured. Override the script target and select the middle option which is Policy Package, ADOM or Database (or something similar to this). Press OK. Now right click the script and press Run. Select the policy package you want it to run on, and then this should import the config you are looking for. Hope this helps. Cheers!
-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINET— High Performance Network Security
Matthew_Mollenhauer
New Contributor III

Seems to work fine in our FMG, but one " major" issue I' ve found is that a 5.0 ADOM cannot be upgraded to a 5.2 ADOM. According to our SE this feature won' t be available until FMG 5.2.1 and is not likely to be ever included in the 5.0.x releases. Regards, Matthew
Sean_Toomey_FTNT

ORIGINAL: Matthew Mollenhauer one " major" issue I' ve found is that a 5.0 ADOM cannot be upgraded to a 5.2 ADOM. According to our SE this feature won' t be available until FMG 5.2.1 and is not likely to be ever included in the 5.0.x releases.
Hi Matthew, You are correct that FortiManager 5.0.x will not support 5.2 ADOM' s. Generally the FortiManager and FortiOS version need to match but I believe a strategy of " one version up, one version down" is being employed here. FortiManager 5.0.7 supports FortiGates on 5.2.0, if the ADOM is on a 5.0 policy package. Only 5.0.x features are supported in this scenario, but allows you to start to upgrade your firewalls to a newer version while keeping everything managed under the same umbrella. FortiManager 5.2.0 (or a patch thereof) should allow you continue using 5.0 policy package on both 5.0.x and 5.2.x FortiGates while you finish your migration. When all firewalls are up to 5.2.x, then you will have an option to upgrade the 5.0 policy package to 5.2 policy package, which then completes the migration. FortiManager 5.0.x patch added this same ability for 4.3 policy packages. So in a nutshell, FMGR and FGT versions should be paired whenever possible and the conversion tools that are there are really a way to be able to manage the process of bringing an environment up to the new version of code methodically. Hope that makes sense. Cheers!
-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINET— High Performance Network Security
Sean_Toomey_FTNT

ORIGINAL: Wurzlsepp Hi there just upgraded to 5.0.7. Dynamic objects now went into the object edit pane. Nice one! But it seems I cannot add any dynamic subnets in addresses. the OK button just does nothing and the change is not applied. I could track that down to the " /" not being accepted. IP ranges (a.b.c.d-a.b.c.e) works fine but looks terrible in the object table. Anybody with the same experience?
Hi Wurzlsepp, You can indeed add dynamic subnets into policy. I have tried on FMGR 5.0.7 in my lab just now and posted a picture below. I have added one dynamic subnet and am in the process of adding another. You can add them as x.x.x.x/yy format. You can also make combinations so the " placeholder" dynamic object is a single IP while the mapped object to your FW is a subnet, and vice versa, and any mix therein. If you are still seeing different behavior, can you pls post a pic here and describe what it is you are trying to do? Cheers!
-- Sean Toomey, CISSP FCNSP Consulting Security Engineer (CSE) FORTINET— High Performance Network Security
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors