Hi,
So I configured a managed Fortigate via Fortimanager, what I did was
1. add an address object
2. added this address object to a dynamic group
For some reason it has been a day and I still don't see the new address object on the managed Fortigate. I do see under Configurations and Installations Config Status: Auto Update checked
Not sure how to troubleshoot this
Thanks in advance
Jeff
Solved! Go to Solution.
I may be a bit late to the party, but it looks to be a bit as if you have the following:
- a static address (the address has no per-device-mapping), at least per the screenshot you shared
- a possibly dynamic group? I could not see a screenshot for the actual group, just the individual address
-> that means the group could have per-device-mapping (have different members for various FortiGates)
-> I would double-check the group itself and see if per-device-mapping is enabled, and if that is the case then check the group members that are configured for the specific FortiGate/Policy Package you're looking at
"Auto-update" is for opposite direction from FGT config into Device config DB on FMG. You must be using a policy package and when you made the change of an object, the package sync status must have gone out of sync or modified. Until you push/install it, it's not going to be changed at the FGT.
You need to install the policy package.
Toshi
Thanks for the response, when you say install the policy package, not sure what that meant this is the first time I've dealt with FMG. Are you referring to the screen capture below
Before blindly installing it, check the policy package status under Device Manager->Device&Groups like below. You might need to add "Policy Package Status" in "Column Settings. It should be out of sync.
Policy package shows a green check
Created on 06-17-2022 05:47 PM Edited on 06-17-2022 05:49 PM
That means the address object you modified is NOT used in the policies in the package. In other words, if an object is not used, it would never be installed to the FGT.
I see. actually this is not modified object but a new object. I created this in FMG under the name of the managed Fortigate under objects.
Where and how exactly did you create it? In Policy&Objects page in GUI? Or CLI Configurations under Device Manager->Device & Group page in GUI? Or used a CLI script under Device Manager and ran against either Policy Package or Device Database?
Toshi
I login to Fortimanager, went to Policy & Objects > Under Policy Packages > Object Configurations (left pane) > Addressess
Create New and after creating a new object added to Dynamic group where this Dynamic group is under a Firewall Policy on the Fortigate for that location. I used the GUI instead of the CLI
I didn't make the changes on the FGT, since there's a prompt that once I forced tomake changes on the Fortigate, it will go out of sync with the Fortimanager and so I only open FGT on Read-Only mode.
Thanks for the detailed explanation of FMG, I didn't have to create a new Policy Package since there's an existing one but I may need to counter check with another engineer since on the FGT, I see a policy with the same dynamic group added but different object address members compared to the Dynamic group added on the FMG, just to be on the safe side I don't messed up someone's policy but thanks for all the help and have a great day ahead!
Jeff
Created on 06-20-2022 12:53 PM Edited on 06-20-2022 12:53 PM
You meant "Per-Device Mapping" by "Dynamic group" in GUI, right? Then the policy package status for the the FGT should go out-of-sync or modified.
I would open a ticket at TAC to ask why the status doesn't change.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.