Hi, sometimes after an edit of a policy package on a FMG, such as create a new object or new policy, almost all firewalls goes in status "modified", but nothing has been really modified. The edit is done only on one device, with its policy package, but for some reason all other devices believe an edit has been done for them.
If we try to re-install the policy package, the diff shows no infos, in the end it says "no commands to be installed" and the yellow triangle "Modified" turns into a green check as before.
This happened various times with different FMG versions, 5.4 and now 5.6.3. Managed Fortigates are in 5.4.5.
Can someone please explain why an edit has this impact even if is non-existant for other devices?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Upgrade to 5.6.5, that should help alleviate that issue.
What you describe, and variants of, is my biggest and longest-standing complaint about FortiManager. Devices going into modified status when only 'blank pushes' are needed. I have been seeing this issue since FortiManager 5.2.
Running 5.6.5 I don't see the same issue you describe anymore. However, importing (or re-importing) a policy package will do the same thing. Importing one firewall will trip the change (modified) flag for all of the other firewalls, even though no actual changes are needed.
You gave as an example of the type of edit you did as creating "a new policy". If you add a new policy in a policy package & then install THAT policy package, there should be something to install (unless you restricted "Install On"). So your report of "no commands to be installed" doesn't really make sense.
Can you provide more specifics?
By the way, there have been experiences in the past of how modification of one policy package affects another policy package. But that sounds different than what you have reported.
Merely created a couple of object, such as zones, and used them in a couple of new policies, only on a specific device. Once the updates are done on the targeted device, immediately all the others go into "modified" status, but it's nonsense because they have no modification pending. This situation applies with any type of edit: basically, every edit appears to affect all the devices in the ADOM.
Best to report a support ticket for review.
By the way, you mention "yellow triangle "Modified" turns into a green check as before." So I presume we are indeed talking about "Policy Package Modified" and not "Device Config Modified".
Upgrade to 5.6.5, that should help alleviate that issue.
What you describe, and variants of, is my biggest and longest-standing complaint about FortiManager. Devices going into modified status when only 'blank pushes' are needed. I have been seeing this issue since FortiManager 5.2.
Running 5.6.5 I don't see the same issue you describe anymore. However, importing (or re-importing) a policy package will do the same thing. Importing one firewall will trip the change (modified) flag for all of the other firewalls, even though no actual changes are needed.
Ergotherego, thank you for your suggestion.
Searching for this type of bug in the release notes of 5.6.5, I found the following:
488159 - Multiple Policy Packages status changed to Modified after making change to one Policy Package.
I think I hit this very bug. Now I have opened a support case for confirmation.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.