Hello
I have an environment of several FortiGates and a FortiAnalyzer, and therefore have a Security Fabric. I'm now in the process of adding a FortiManager to the setup, and have installed all my FortiGates and FortiAnalyzer. I can thereforesee my devices listed under my Security Fabric name on my FortiManager Device list.
All the policies, objects and so on have been imported doing the device installation.
Now I have changed some policies on my Security Fabric root Firewall, and is ready to push the new policies out.
When I check the configuration Diff before this, I can see it will delete multiple address objects because they are not being used on my Security Root - However these objects have been synced to some of my other firewalls, and are in use on them!
How can I handle this? If the policy installation delete these object, and it gets synced to my other firewalls, the policies on those firewalls using the objects will stop working?
I'm I missing something??!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Seola30,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for someone to help you.
We will come back to you ASAP.
Thanks,
Hello,
I found this reddit discussion:
https://www.reddit.com/r/fortinet/comments/10up9pg/fortimanager_will_sync_delete_fabric_global/
I think it replies to your question.
Regards,
Dear Seola,
is that reddit post also from you? The initial post seems very similar in details and wording.
Either way, I have not been able to find any cases with a customer facing a similar quandary, but I did find a few cases where FortiManager was linked to downstream FortiGates and caused sync issues due to deleting unused objects.
One solution in those cases was to simply disable fabric sync:
config system csf
set fabric-object-unification local
end
This would stop objects from being synced to AND from the FortiGate in question. To my knowledge, if you disable this on your root FortiGate, it should simply stop further object syncing, but already synced objects should stay in place and be unaffected.
Aside from that, the best solution would be to have all FortiGates added to the FortiManager, so the manager can handle objects across the entire fabric, not the root FortiGate. You could open a ticket with Technical Support to get some assistance in migrating your entire Fabric to the FortiManager, not just the one root FortiGate, but this would certainly take some time.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.