Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DByte883
New Contributor

Fortimanager policy package modified, but not really...

Hi, sometimes after an edit of a policy package on a FMG, such as create a new object or new policy, almost all firewalls goes in status "modified", but nothing has been really modified. The edit is done only on one device, with its policy package, but for some reason all other devices believe an edit has been done for them.

If we try to re-install the policy package, the diff shows no infos, in the end it says "no commands to be installed" and the yellow triangle "Modified" turns into a green check as before.

This happened various times with different FMG versions, 5.4 and now 5.6.3. Managed Fortigates are in 5.4.5.

Can someone please explain why an edit has this impact even if is non-existant for other devices?

1 Solution
ergotherego
Contributor II

Upgrade to 5.6.5, that should help alleviate that issue.

 

What you describe, and variants of, is my biggest and longest-standing complaint about FortiManager. Devices going into modified status when only 'blank pushes' are needed. I have been seeing this issue since FortiManager 5.2.

 

Running 5.6.5 I don't see the same issue you describe anymore. However, importing (or re-importing) a policy package will do the same thing. Importing one firewall will trip the change (modified) flag for all of the other firewalls, even though no actual changes are needed.

View solution in original post

5 REPLIES 5
chall_FTNT
Staff
Staff

You gave as an example of the type of edit you did as creating "a new policy".   If you add a new policy in a policy package & then install THAT policy package, there should be something to install (unless you restricted "Install On").  So your report of "no commands to be installed" doesn't really make sense.

 

Can you provide more specifics?

 

By the way, there have been experiences in the past of how modification of one policy package affects another policy package.  But that sounds different than what you have reported.

Chris Hall
Fortinet Technical Support
DByte883

Merely created a couple of object, such as zones, and used them in a couple of new policies, only on a specific device. Once the updates are done on the targeted device, immediately all the others go into "modified" status, but it's nonsense because they have no modification pending. This situation applies with any type of edit: basically, every edit appears to affect all the devices in the ADOM.

chall_FTNT

Best to report a support ticket for review. 

 

By the way, you mention "yellow triangle "Modified" turns into a green check as before."  So I presume we are indeed talking about "Policy Package Modified" and not "Device Config Modified".

Chris Hall
Fortinet Technical Support
ergotherego
Contributor II

Upgrade to 5.6.5, that should help alleviate that issue.

 

What you describe, and variants of, is my biggest and longest-standing complaint about FortiManager. Devices going into modified status when only 'blank pushes' are needed. I have been seeing this issue since FortiManager 5.2.

 

Running 5.6.5 I don't see the same issue you describe anymore. However, importing (or re-importing) a policy package will do the same thing. Importing one firewall will trip the change (modified) flag for all of the other firewalls, even though no actual changes are needed.

DByte883

Ergotherego, thank you for your suggestion.

Searching for this type of bug in the release notes of 5.6.5, I found the following:

 

488159 - Multiple Policy Packages status changed to Modified after making change to one Policy Package.

 

I think I hit this very bug. Now I have opened a support case for confirmation.

Labels
Top Kudoed Authors