Fortimanager Policy package status issue

Makris_TH · ‎06-19-2024

Hello,

I want to raise an issue that someone may encountered in the past.

We own 4 Fortigate (3 of the in HA-Cluster) devices which are imported as devices in Fortimanager.

Fortimanager version : v7.0.12 GA build0623

Fortigate version : v7.0.16 build0632

The issue is that i cannot have all of the devices Policy package status in imported state.

When i import configuration for one of them this specific device change state to "imported" and the rest 3 devices changing state to "Modified".

below is when i finished importing the the policy package in the 1st device

below is when i finished importing the the policy package in the 2nd device

Does anyone faced this issue before?

Any workaround is welcomed.

Network Engineer

Toshi_Esumi · ‎06-19-2024

You need to understand all of those FGTs shares one object database if they are in the same ADOM. You need to have either unique object names or dynamic objects for the same names. Every time one of those objects updates, it would show up as modified.
So it's an expected result when you import them.

Toshi

View solution in original post

Toshi_Esumi · ‎06-19-2024

You need to understand all of those FGTs shares one object database if they are in the same ADOM. You need to have either unique object names or dynamic objects for the same names. Every time one of those objects updates, it would show up as modified.
So it's an expected result when you import them.

Toshi

jasonhong · ‎06-19-2024

I assume you are prompted to choose to use the value either from FortiGate or Fortimanager whenever you perform an policy & object import for the other FortGates.

If you were to choose to use the values from FortiGate, it will automatically change the status to Modified for the other other FortGates since there can only be one unique value for certain ADOM objects once imported into the ADOM.

If you were to choose to use the values from FortiManager, it will not change the status of the other devices since you are essentially importing the objects into the ADOM while choosing to retain the value that has already been saved in the ADOM object.

Makris_TH · ‎06-25-2024

" I assume you are prompted to choose to use the value either from FortiGate or Fortimanager whenever you perform an policy & object import for the other FortGates. "

Yes i prompted and i use every time the value from Fortigate as i did not want to change an object's value by accident.

I assume that it is better to use separated ADOMs for each fortigate than to use a single ADOM for all of 4 fortigates that are like in a HQ and Branches topology

Network Engineer

Makris_TH · ‎06-25-2024

I did not check the meta fields options yet but thanks for mentioning this ,

I think the approach with separated ADOM for each branch is good , before apply this solution i will test with dynamic objects or of meta fields as you suggested

Network Engineer

Toshi_Esumi · ‎06-25-2024

Just a friendly caution if you decide to use "Meta Field" with 7.0. After 7.2, the global Meta Field itself was migrated to the new "Meta Variable" under ADOM. The FMG upgrade process converts them but it confused me a lot since I didn't know about the change at that time.
So if you wan to utilize the feature, I recommend you upgrade your FMG to 7.2.x first. You eventually need to do that any way to be able to upgrade your FGTs to 7.2.

Toshi