Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
seola30
New Contributor

Fortimanager - Will sync delete 'Fabric Global Object's?

Hello

I have an environment of several FortiGates and a FortiAnalyzer, and therefore have a Security Fabric. I'm now in the process of adding a FortiManager to the setup, and have installed all my FortiGates and FortiAnalyzer. I can thereforesee my devices listed under my Security Fabric name on my FortiManager Device list.

All the policies, objects and so on have been imported doing the device installation.

 

Now I have changed some policies on my Security Fabric root Firewall, and is ready to push the new policies out.
When I check the configuration Diff before this, I can see it will delete multiple address objects because they are not being used on my Security Root - However these objects have been synced to some of my other firewalls, and are in use on them!

 

How can I handle this? If the policy installation delete these object, and it gets synced to my other firewalls, the policies on those firewalls using the objects will stop working?

 

I'm I missing something??!

router login 192.168.l.l
4 REPLIES 4
Anthony_E
Community Manager
Community Manager

Hello Seola30,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

We are still looking for someone to help you.

We will come back to you ASAP.

 

Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

I found this reddit discussion:

 

https://www.reddit.com/r/fortinet/comments/10up9pg/fortimanager_will_sync_delete_fabric_global/

 

I think it replies to your question.

 

Regards,

Anthony-Fortinet Community Team.
Debbie_FTNT
Staff
Staff

Dear Seola,

is that reddit post also from you? The initial post seems very similar in details and wording.

Either way, I have not been able to find any cases with a customer facing a similar quandary, but I did find a few cases where FortiManager was linked to downstream FortiGates and caused sync issues due to deleting unused objects.

One solution in those cases was to simply disable fabric sync:

config system csf
set fabric-object-unification local
end

This would stop objects from being synced to AND from the FortiGate in question. To my knowledge, if you disable this on your root FortiGate, it should simply stop further object syncing, but already synced objects should stay in place and be unaffected.

 

Aside from that, the best solution would be to have all FortiGates added to the FortiManager, so the manager can handle objects across the entire fabric, not the root FortiGate. You could open a ticket with Technical Support to get some assistance in migrating your entire Fabric to the FortiManager, not just the one root FortiGate, but this would certainly take some time.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Top Kudoed Authors