anyone have a list of things that don't work in / from a global policy? recently ran an into an issue with FSSO groups and currently suspecting an issue with web filter rating overrides.
the admin guide hardly mentions global policy and certainly not something like this.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
for global assigned object, if this object is then used by local ADOM db config and later you removed global object from global database, then assign global db config to local ADOM again will fail because this global object is referenced by local ADOM db and can not be removed
this is a generic logic, so I am not sure if this is the issue you see, I may need more details to investigate your case
Thanks
Simon
the question is more general, basic funtionality that doesn't work from a Global policy.
for example web filter overrides that don't seem to be pushed to a fortigate eventhough the global policy is assigned to the local.
just wondering if this is single issue or if there is a known list of things that don't work (yet) from a global policy.
so global rate overrides config not assigned to local ADOM? how about assign all objects, not default used objects only?
thanks
Simon
how would i do that? don't see any option expect to assign or unassign a global policy to a local one.
doing the rating override from the local policy in fortimanager works fine.
rating override config is a little special since this object is not directly used by policy, we did some special handle for this config in local ADOM for install, and will review/investigate if to add similar special logic for global assign
for now, you can use below method
in global adom - assignment tab, select the ADOM in the assign list, then in the menu, there has a "Assign Selected" button, and click that button, there has 2 more function inside
1. to assign policy used object only, or to assign all global objects
-- so you can choose assign all objects, see if can workaround your case
2. auto install after assign
Thanks
Simon
that does indeed work, but am i correct in my assumption i have to do that everytime i make a change in the override rating on global policy level? it doesn't seem to stick to assign all objects and making a chance doesn't trigger the global policy to become in changed status anyway.
for now if you want to keep assigned global local rating, need to use this workaround and each time need to select assign all when do assign, we will try to add the same logic as local ADOM install for next patch release
by the way, what is the issue for FSSO? I think FSSO may not be for this case but need to know more details
Thanks
Simon
Hi,
we ran into the same issue with FSSO in the global policies once... We tried to use FSSO rules in the footer policies - but you can only use RSSO right now. If it would be possible to just create and assign FSSO groups based on the LDAP DN this would be really awesome - but due to design limitations this is not there yet
Br,
Roman
Additionally we ran into the same issue with the rating overrides
Which is only a problem with the "ID" field of the local categories - which conflicts with the same ID field from the local category in the ADOM and then the Global categories "ID" gets changed when assigned - but the profiles are referring to the ID ....
We did create new global objects with completely different IDs in the global section via the CLI and did not have any conflict any more
Br,
Roman
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.