Fortimanager - Will sync delete 'Fabric Global Object's?
I have an environment of several FortiGates and a FortiAnalyzer, and therefore have a Security Fabric. I'm now in the process of adding a FortiManager to the setup, and have installed all my FortiGates and FortiAnalyzer. I can thereforesee my devices listed under my Security Fabric name on my FortiManager Device list.
All the policies, objects and so on have been imported doing the device installation.
Now I have changed some policies on my Security Fabric root Firewall, and is ready to push the new policies out. When I check the configuration Diff before this, I can see it will delete multiple address objects because they are not being used on my Security Root - However these objects have been synced to some of my other firewalls, and are in use on them!
How can I handle this? If the policy installation delete these object, and it gets synced to my other firewalls, the policies on those firewalls using the objects will stop working?
is that reddit post also from you? The initial post seems very similar in details and wording.
Either way, I have not been able to find any cases with a customer facing a similar quandary, but I did find a few cases where FortiManager was linked to downstream FortiGates and caused sync issues due to deleting unused objects.
One solution in those cases was to simply disable fabric sync:
config system csf set fabric-object-unification local end
This would stop objects from being synced to AND from the FortiGate in question. To my knowledge, if you disable this on your root FortiGate, it should simply stop further object syncing, but already synced objects should stay in place and be unaffected.
Aside from that, the best solution would be to have all FortiGates added to the FortiManager, so the manager can handle objects across the entire fabric, not the root FortiGate. You could open a ticket with Technical Support to get some assistance in migrating your entire Fabric to the FortiManager, not just the one root FortiGate, but this would certainly take some time.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.