- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortimanager pushes unused objects to Fortigate
We have recently imported a policy package "X" from a fortigate into an ADOM , but there is a different policy package "Y" in the same ADOM which doesn't use any of the objects from policy package "X".
Now Policy package "Y" show the package as modified for all it's installation targets and when we go through the install wizard to look at the "download preview" it shows objects which were imported during "import policy package for X".
My question is does "Fortimanager" push unused objects even if they are not referenced in the Policy Package used by the installation targets ?
- Labels:
-
5.2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only instance I know of where FMG pushes unreferenced objects is for security profiles. Everything else it pushes is referenced in the configuration somewhere.
Do Y and X make use of groups with the same name, but different members? Ie, the two groups with the same name got merged, and now have both members from both firewalls.
There is a bug in FMG 5.4 - 0401646 - that will cause other policy packages to show modified after importing a new PP or making changes. But it doesn't result in unreferenced changes being pushed down - in fact those are "blank pushes" where you have to go through the motions of installing just to clear that flag.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Y and X have nothing in common. Along with unused security profiles some common service objects are also pushed :(
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ergotherego wrote:
There is a bug in FMG 5.4 - 0401646 - that will cause other policy packages to show modified after importing a new PP or making changes. But it doesn't result in unreferenced changes being pushed down - in fact those are "blank pushes" where you have to go through the motions of installing just to clear that flag.
Yes, one of the super annoying bugs in the current version.
What I've noticed: It's pushing out all security group profiles to all boxes. Even if the group profiles are not referenced.
Have you imported a group profile maybe?
I haven't had any issue with service objects though. Have you searched for these objects in the 'Database configuration' under System:Dashboard? Or checked whether the service object is used by using the "Where Used" option: by right clicking on the service object in the 'object configurations' view.
Other problems I observed:
[ul]- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yea, it's security group profiles specifically. We don't use just profiles so it's one in the same for us :)
To work-around the VIP issue, when you are defining a firewall policy, leave the interfaces set to 'any' at first. Then define the VIP, then you can define the interfaces properly.
5.4.3 is supposed to come out any day now. They keep pushing the release date back. Hopefully that is good news, and it's because they are finally going to fix these bugs once and for all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There's a LOT of bugs in 5.4.2- My own I've encountered:
FortiExtender upgrade from FMG does not work
IPsec VPN monitor optimistically shows *every* tunnel is up, regardless of status
5.0 ADOM Policies can't be viewed by interface or freeform searched
just of the top of my head.
I'm really keen on getting that blank policy push bug fixed... I'm 175 devices deep in a 6,500 device rollout and that's the kind of bug that'd make life miserable with that many devices.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiManager has a ways to go before it gets on the level of something like Palo's Panorama.
Mike Pruett
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MikePruett wrote:I've not used that, but on the flipside, I hear from a former coworker PA's log reporting is far behind FortiAnalyzer. Cat and Mouse engineering :)FortiManager has a ways to go before it gets on the level of something like Palo's Panorama.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dear,
i have enabled partial install via CLI. as per below link. but now also i am not able to push any newly created object.
like i have created new LDAP object and i want that should go to the firewall which i have added by per device mapping. i am getting error there is not install device.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Partial install question answered here: https://forum.fortinet.com/tm.aspx?m=158385#158385
Fortinet Technical Support