Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
viks_a
New Contributor

Fortimanager pushes unused objects to Fortigate

We have recently imported a policy package "X" from a fortigate into an ADOM , but there is a different policy package "Y" in the same ADOM which doesn't use any of the objects from policy package "X".

 

Now Policy package "Y" show the package as modified for all it's installation targets and when we go through the install wizard to look at the "download preview" it shows objects which were imported during "import policy package for X".

 

My question is does "Fortimanager" push unused objects even if they are not referenced in the Policy Package used by the installation targets ?  

9 REPLIES 9
ergotherego
Contributor II

The only instance I know of where FMG pushes unreferenced objects is for security profiles. Everything else it pushes is referenced in the configuration somewhere.

 

Do Y and X make use of groups with the same name, but different members? Ie, the two groups with the same name got merged, and now have both members from both firewalls.

 

There is a bug in FMG 5.4 - 0401646 - that will cause other policy packages to show modified after importing a new PP or making changes. But it doesn't result in unreferenced changes being pushed down - in fact those are "blank pushes" where you have to go through the motions of installing just to clear that flag.

viks_a

Y and X have nothing in common. Along with unused security profiles some common service objects are also pushed :(

localhost

 

ergotherego wrote:

 

There is a bug in FMG 5.4 - 0401646 - that will cause other policy packages to show modified after importing a new PP or making changes. But it doesn't result in unreferenced changes being pushed down - in fact those are "blank pushes" where you have to go through the motions of installing just to clear that flag.

 

Yes, one of the super annoying bugs in the current version.

 

What I've noticed: It's pushing out all security group profiles to all boxes. Even if the group profiles are not referenced.

Have you imported a group profile maybe?

 

I haven't had any issue with service objects though. Have you searched for these objects in the 'Database configuration' under System:Dashboard? Or checked whether the service object is used by using the "Where Used" option: by right clicking on the service object in the 'object configurations' view.

 

 

Other problems I observed:

[ul]
  • VIP management doesn't work well at all. Address must be set to to 'any' interface if using Zones or Mapped interfaces. Even then I sometimes cannot configure the VIP object in my policy and have to configure on the FG directly and re-import.
  • FortiManager trying to push 'set fsso enable' on some policies, but then fails during verification, because there is no such parameter in the Fortigate.
  • FM is pushing out all FSSO objects in the FM adom, also non-referenced.
  • It's not possible to configure a FSSO object just for logging purpose. There must be at lease one policy with groups configured, otherwise it will remove the existing FSSO object.[/ul]
  • ergotherego

    Yea, it's security group profiles specifically. We don't use just profiles so it's one in the same for us :)

     

    To work-around the VIP issue, when you are defining a firewall policy, leave the interfaces set to 'any' at first. Then define the VIP, then you can define the interfaces properly.

     

    5.4.3 is supposed to come out any day now. They keep pushing the release date back. Hopefully that is good news, and it's because they are finally going to fix these bugs once and for all.

    DirtyBlueshirt

    There's a LOT of bugs in 5.4.2- My own I've encountered:

     

    FortiExtender upgrade from FMG does not work

    IPsec VPN monitor optimistically shows *every* tunnel is up, regardless of status

    5.0 ADOM Policies can't be viewed by interface or freeform searched

     

    just of the top of my head.

     

    I'm really keen on getting that blank policy push bug fixed... I'm 175 devices deep in a 6,500 device rollout and that's the kind of bug that'd make life miserable with that many devices.

     

    --- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
    MikePruett

    FortiManager has a ways to go before it gets on the level of something like Palo's Panorama.

    DirtyBlueshirt

    MikePruett wrote:

    FortiManager has a ways to go before it gets on the level of something like Palo's Panorama.

    I've not used that, but on the flipside, I hear from a former coworker PA's log reporting is far behind FortiAnalyzer. Cat and Mouse engineering :)

    --- Aaron Slater Security Analyst, Network Engineer, Part-Time Everything Else
    ss198939

    Hi Dear,

     

    i have enabled partial install via CLI.  as per below link. but now also i am not able to push any newly created object.

    like i have created new LDAP object and i want that should go to the firewall which i have added by per device mapping. i am getting error there is not install device.

     

    http://help.fortinet.com/fmgr/50hlp/56/5-6-1/FortiManager_Admin_Guide/1200_Policy%20and%20Objects/12...

     

     

    chall_FTNT

    Partial install question answered here: https://forum.fortinet.com/tm.aspx?m=158385#158385

    Chris Hall
    Fortinet Technical Support
    Top Kudoed Authors