Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
laravente
New Contributor

Fortimanager Question

So I have a 501E and 301E at 2 different sites. I got the FMG well after having these two units in the wild so I was able to import them in hopes of managing them, however I'm hitting a problem after import. The configs at the actual units were changed (objects added, settings tweaked) after being added to FMG. FMG doesn't know about these additional settings so if I ever go to run the Install Wizard, the Install Preview shows that it would delete all of the items created at the units. I guess that makes sense since FMG will only install what it knows about. (The people who edited outside of FMG are to be restricted to the FMG only.)

 

Question is, how do I ensure that FMG updates what it knows about a unit's objects (addresses, interfaces, etc.) if changes are ever made outside of FMG? In my labs, I've deleted the unit from FMG and re-added it to reflect such changes but I don't know if there'd be any weird side effects that might affect the FGT in a production environment. I'd like to start using FMG going forward but seeing all those "delete xxx" lines the Install Preview makes me hesitate to push the policy package down to the FGT.

 

Also, I have regular backups of these units - wouldn't I be able to easily restore these configs if the install messed up something? (given I can still access the unit).

https://19216811.cam/ https://1921681001.id/
2 REPLIES 2
GDiFi
Staff
Staff

If someone manually changes the Policies or objects on the Fortigate, instead of having to delete the unit, you can simply use the Import Configuration option on the Device Manager page instead to import the policies and objects that way. 

 

This will overwrite any changes that may have been made in FortiManager but not pushed down to the Fortigate yet.

Debbie_FTNT
Staff
Staff

Hey laravente,

as GDiFi mentioned above, you can simply import the policy package again - this will update the objects on FortiManager to reflect the changes on FortiGate, and create a new policy package to use.

You might want to delete the old policy package to not accidentally push old policies.

 

In addition, if this is your first installation from FortiManager to FortiGate:

-> a lot of unused objects will get deleted, this is normal (you should see things like service and address objects get removed, for example)

-> no policies should get deleted

->no objects USED in the policies should get deleted either

-> If you see either in the installation preview, that means not all policies/objects were imported to FortiManager successfully for some reason OR those policies/objects were created on FortiGate and not synced to FortiManager

 

Please note that import to FortiManager technically comes in two stages - syncing to Device Database (this usually happens automatically; you might see a device in state 'Auto Update' at times, or you can retrieve the config from FortiGate if you go into the revision table), and then importing to Policy&Objects (technically importing from Device Database, not FortiGate directly).

It's that second step, importing to Policy&Objects, that will modify the ADOM objects and policy package/create a new policy package.

 

As for regular backups - FortiGate will have a number of backups to FortiManager; one backup is basically created anytime an installation is done from FortiManager, or FortiGate updates its changes to FortiManager Device Database.

You can find these in the revision history in Device Database:
https://docs2.fortinet.com/document/fortimanager/6.0.4/administration-guide/26761/managing-configura...
You can view and compare revisions, and install them to FortiGate if you want to revert to an earlier version.

You can also upload configuration backups from a different location to FortiGate, and then do a configuration retrieve/policy import on FortiManager to get it up to date again.


I hope this helps :)

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors