Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TSC_JEFF
New Contributor II

Managed Fortigate by Fortimanager not updating

Hi,

 

So I configured a managed Fortigate via Fortimanager, what I did was 

 

1. add an address object

2. added this address object to a dynamic group

 

For some reason it has been a day and I still don't see the new address object on the managed Fortigate. I do see under Configurations and Installations Config Status: Auto Update checked

 

Not sure how to troubleshoot this

 

Thanks in advance

Jeff

1 Solution
Debbie_FTNT
Staff
Staff

I may be a bit late to the party, but it looks to be a bit as if you have the following:

- a static address (the address has no per-device-mapping), at least per the screenshot you shared

- a possibly dynamic group? I could not see a screenshot for the actual group, just the individual address

-> that means the group could have per-device-mapping (have different members for various FortiGates)

-> I would double-check the group itself and see if per-device-mapping is enabled, and if that is the case then check the group members that are configured for the specific FortiGate/Policy Package you're looking at

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

16 REPLIES 16
Toshi_Esumi
Esteemed Contributor III

"Auto-update" is for opposite direction from FGT config into Device config DB on FMG. You must be using a policy package and when you made the change of an object, the package sync status must have gone out of sync or modified. Until you push/install it, it's not going to be changed at the FGT.

You need to install the policy package.

 

Toshi

TSC_JEFF

Thanks for the response, when you say install the policy package, not sure what that meant this is the first time I've dealt with FMG. Are you referring to the screen capture below

 

TSC_JEFF_0-1655512552362.png

 

Toshi_Esumi
Esteemed Contributor III

Before blindly installing it, check the policy package status under Device Manager->Device&Groups like below. You might need to add "Policy Package Status" in "Column Settings. It should be out of sync.

 

Toshi_Esumi_0-1655512850997.png

 

TSC_JEFF

Policy package shows a green check

TSC_JEFF_0-1655513119672.png

 

 

Toshi_Esumi
Esteemed Contributor III

That means the address object you modified is NOT used in the policies in the package. In other words, if an object is not used, it would never be installed to the FGT.

TSC_JEFF

I see. actually this is not modified object but a new object. I created this in FMG under the name of the managed Fortigate under objects.

Toshi_Esumi
Esteemed Contributor III

Where and how exactly did you create it? In Policy&Objects page in GUI? Or CLI Configurations under Device Manager->Device & Group page in GUI? Or used a CLI script under Device Manager and ran against either Policy Package or Device Database?

 

Toshi

TSC_JEFF

@Toshi_Esumi 

I login to Fortimanager, went to Policy & Objects > Under Policy Packages > Object Configurations (left pane) > Addressess

 

Create New and after creating a new object added to Dynamic group where this Dynamic group is under a Firewall Policy on the Fortigate for that location. I used the GUI instead of the CLI

 

@markwarner 

I didn't make the changes on the FGT, since there's a prompt that once I forced tomake changes on the Fortigate, it will go out of sync with the Fortimanager and so I only open FGT on Read-Only mode. 

 

Thanks for the detailed explanation of FMG, I didn't have to create a new Policy Package since there's an existing one but I may need to counter check with another engineer since on the FGT, I see a policy with the same dynamic group added but different object address members compared to the Dynamic group added on the FMG, just to be on the safe side I don't messed up someone's policy but thanks for all the help and have a great day ahead!

 

Jeff

Toshi_Esumi
Esteemed Contributor III

You meant "Per-Device Mapping" by "Dynamic group" in GUI, right? Then the policy package status for the the FGT should go out-of-sync or modified.
I would open a ticket at TAC to ask why the status doesn't change.

 

Toshi

Labels
Top Kudoed Authors