Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TSC_JEFF
New Contributor II

Created on ‎06-17-2022 05:14 PM

Managed Fortigate by Fortimanager not updating

Hi,

 

So I configured a managed Fortigate via Fortimanager, what I did was 

 

1. add an address object

2. added this address object to a dynamic group

 

For some reason it has been a day and I still don't see the new address object on the managed Fortigate. I do see under Configurations and Installations Config Status: Auto Update checked

 

Not sure how to troubleshoot this

 

Thanks in advance

Jeff

Labels:
13175
1 Solution
Debbie_FTNT
Staff
Staff

Created on ‎06-21-2022 01:51 AM

I may be a bit late to the party, but it looks to be a bit as if you have the following:

- a static address (the address has no per-device-mapping), at least per the screenshot you shared

- a possibly dynamic group? I could not see a screenshot for the actual group, just the individual address

-> that means the group could have per-device-mapping (have different members for various FortiGates)

-> I would double-check the group itself and see if per-device-mapping is enabled, and if that is the case then check the group members that are configured for the specific FortiGate/Policy Package you're looking at

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

13043
16 REPLIES 16
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-17-2022 05:31 PM Edited on ‎06-17-2022 05:32 PM

"Auto-update" is for opposite direction from FGT config into Device config DB on FMG. You must be using a policy package and when you made the change of an object, the package sync status must have gone out of sync or modified. Until you push/install it, it's not going to be changed at the FGT.

You need to install the policy package.

 

Toshi

8037
0 Kudos
TSC_JEFF
New Contributor II
In response to Toshi_Esumi

Created on ‎06-17-2022 05:36 PM

Thanks for the response, when you say install the policy package, not sure what that meant this is the first time I've dealt with FMG. Are you referring to the screen capture below

 

TSC_JEFF_0-1655512552362.png

 

8036
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-17-2022 05:41 PM Edited on ‎06-17-2022 05:43 PM

Before blindly installing it, check the policy package status under Device Manager->Device&Groups like below. You might need to add "Policy Package Status" in "Column Settings. It should be out of sync.

 

Toshi_Esumi_0-1655512850997.png

 

8035
0 Kudos
TSC_JEFF
New Contributor II
In response to Toshi_Esumi

Created on ‎06-17-2022 05:45 PM

Policy package shows a green check

TSC_JEFF_0-1655513119672.png

 

 

8034
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to TSC_JEFF

Created on ‎06-17-2022 05:47 PM Edited on ‎06-17-2022 05:49 PM

That means the address object you modified is NOT used in the policies in the package. In other words, if an object is not used, it would never be installed to the FGT.

8033
0 Kudos
TSC_JEFF
New Contributor II
In response to Toshi_Esumi

Created on ‎06-17-2022 07:07 PM

I see. actually this is not modified object but a new object. I created this in FMG under the name of the managed Fortigate under objects.

8028
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to TSC_JEFF

Created on ‎06-17-2022 08:20 PM

Where and how exactly did you create it? In Policy&Objects page in GUI? Or CLI Configurations under Device Manager->Device & Group page in GUI? Or used a CLI script under Device Manager and ran against either Policy Package or Device Database?

 

Toshi

8018
0 Kudos
TSC_JEFF
New Contributor II
In response to Toshi_Esumi

Created on ‎06-20-2022 12:23 PM

@Toshi_Esumi 

I login to Fortimanager, went to Policy & Objects > Under Policy Packages > Object Configurations (left pane) > Addressess

 

Create New and after creating a new object added to Dynamic group where this Dynamic group is under a Firewall Policy on the Fortigate for that location. I used the GUI instead of the CLI

 

@markwarner 

I didn't make the changes on the FGT, since there's a prompt that once I forced tomake changes on the Fortigate, it will go out of sync with the Fortimanager and so I only open FGT on Read-Only mode. 

 

Thanks for the detailed explanation of FMG, I didn't have to create a new Policy Package since there's an existing one but I may need to counter check with another engineer since on the FGT, I see a policy with the same dynamic group added but different object address members compared to the Dynamic group added on the FMG, just to be on the safe side I don't messed up someone's policy but thanks for all the help and have a great day ahead!

 

Jeff

7951
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to TSC_JEFF

Created on ‎06-20-2022 12:53 PM Edited on ‎06-20-2022 12:53 PM

You meant "Per-Device Mapping" by "Dynamic group" in GUI, right? Then the policy package status for the the FGT should go out-of-sync or modified.
I would open a ticket at TAC to ask why the status doesn't change.

 

Toshi

7946
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.