Y and X have nothing in common. Along with unused security profiles some common service objects are also pushed :(

 

ergotherego wrote:

 

There is a bug in FMG 5.4 - 0401646 - that will cause other policy packages to show modified after importing a new PP or making changes. But it doesn't result in unreferenced changes being pushed down - in fact those are "blank pushes" where you have to go through the motions of installing just to clear that flag.

 

Yes, one of the super annoying bugs in the current version.

 

What I've noticed: It's pushing out all security group profiles to all boxes. Even if the group profiles are not referenced.

Have you imported a group profile maybe?

 

I haven't had any issue with service objects though. Have you searched for these objects in the 'Database configuration' under System:Dashboard? Or checked whether the service object is used by using the "Where Used" option: by right clicking on the service object in the 'object configurations' view.

 

 

Other problems I observed:

[ul]

VIP management doesn't work well at all. Address must be set to to 'any' interface if using Zones or Mapped interfaces. Even then I sometimes cannot configure the VIP object in my policy and have to configure on the FG directly and re-import.

FortiManager trying to push 'set fsso enable' on some policies, but then fails during verification, because there is no such parameter in the Fortigate.

FM is pushing out all FSSO objects in the FM adom, also non-referenced.

It's not possible to configure a FSSO object just for logging purpose. There must be at lease one policy with groups configured, otherwise it will remove the existing FSSO object.[/ul]

Yea, it's security group profiles specifically. We don't use just profiles so it's one in the same for us :)

 

To work-around the VIP issue, when you are defining a firewall policy, leave the interfaces set to 'any' at first. Then define the VIP, then you can define the interfaces properly.

 

5.4.3 is supposed to come out any day now. They keep pushing the release date back. Hopefully that is good news, and it's because they are finally going to fix these bugs once and for all.

There's a LOT of bugs in 5.4.2- My own I've encountered:

 

FortiExtender upgrade from FMG does not work

IPsec VPN monitor optimistically shows *every* tunnel is up, regardless of status

5.0 ADOM Policies can't be viewed by interface or freeform searched

 

just of the top of my head.

 

I'm really keen on getting that blank policy push bug fixed... I'm 175 devices deep in a 6,500 device rollout and that's the kind of bug that'd make life miserable with that many devices.

 

FortiManager has a ways to go before it gets on the level of something like Palo's Panorama.

MikePruett wrote:

FortiManager has a ways to go before it gets on the level of something like Palo's Panorama.

I've not used that, but on the flipside, I hear from a former coworker PA's log reporting is far behind FortiAnalyzer. Cat and Mouse engineering :)

Hi Dear,

 

i have enabled partial install via CLI.  as per below link. but now also i am not able to push any newly created object.

like i have created new LDAP object and i want that should go to the firewall which i have added by per device mapping. i am getting error there is not install device.

 

http://help.fortinet.com/fmgr/50hlp/56/5-6-1/FortiManager_Admin_Guide/1200_Policy%20and%20Objects/12...

 

 

Partial install question answered here: https://forum.fortinet.com/tm.aspx?m=158385#158385