Hi,
So I configured a managed Fortigate via Fortimanager, what I did was
1. add an address object
2. added this address object to a dynamic group
For some reason it has been a day and I still don't see the new address object on the managed Fortigate. I do see under Configurations and Installations Config Status: Auto Update checked
Not sure how to troubleshoot this
Thanks in advance
Jeff
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I may be a bit late to the party, but it looks to be a bit as if you have the following:
- a static address (the address has no per-device-mapping), at least per the screenshot you shared
- a possibly dynamic group? I could not see a screenshot for the actual group, just the individual address
-> that means the group could have per-device-mapping (have different members for various FortiGates)
-> I would double-check the group itself and see if per-device-mapping is enabled, and if that is the case then check the group members that are configured for the specific FortiGate/Policy Package you're looking at
I don't think it's a per-device mapping, please correct me if I'm wrong
Created on 06-20-2022 01:18 PM Edited on 06-20-2022 01:20 PM
That's not "dynamic" rather "static" address group members, which affect to all FGT devices that uses the adress group. "dynamic" generally means changing the members per device on an address group config side. For example FG1 has members A, B, and C. While FG2 has members A, B and D for the same address group.
Again, it should have knocked down the policy package status out of sync when you added a new address to the address group as long as the FGT uses the group in the policies. So something is wrong.
Toshi
Correct - "Add to Groups" just lists the address groups that this address object is used in. The Per-Device Mapping tickbox is below that and disabled.
If this address object or address group is not referenced in the policy package, FMG will keep it in its ADOM Database and not install it to the device.
Hi Jeff,
It's important to understand how configuration on the device relates to configuration in the FortiManager.
You said you added an address object and put that in a group, but where was that configured?
If you make a configuration change on the FortiGate and auto-update is enabled in the FMG CLI (it is by default), the FGT will send its full configuration file to the FortiManager. This is known as a revision and you can check the revision history for a device in the Device Manager if you double click a device and check the Revision History button in the Configuration and Installation widget.
When this happens, the FortiManager Device Database is updated. The ADOM Database (Policy & Objects section of the GUI) is not updated. To update that you must either Import Policy or Install.
The ADOM database contains objects that can be shared with more than one device.
Import policy pulls the configuration from the Device Database and updates the ADOM Database. If you created the object on the device and are looking for it in Policy & Objects, this is the step that you are missing.
If you created the address and address group on the FortiManager then you only created it in the FortiManager's database. If you then install to the device and it's not pushing the address/group this is because it is not referenced in the Policy Package.
FMG is designed to keep unused objects in the FMG databases and should remove unused objects from the FGT CLI configuration to keep it clean.
If you created an object on the FMG under Policy & Objects, you must reference it in a Policy Package and then install to the device before you will see it show up on the FortiGate.
Always check the install preview before installing config to a FortiGate. It's your last chance to check that what you are about to install is what you actually want to install.
Mark.
hm I ran into similar issues several times. I changed address objects (with or without per devicemapping) which ARE used in some policy in the policy package. I changed it in the FortiManager but when I wanted to roll the updated policy package out FMG stated there is nothing to deploy. It however did deploy the changes when I changed something else to make FMG deploy the packages.
So looks to me that for some reason not every change seems to set the policy package out of sync...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I may be a bit late to the party, but it looks to be a bit as if you have the following:
- a static address (the address has no per-device-mapping), at least per the screenshot you shared
- a possibly dynamic group? I could not see a screenshot for the actual group, just the individual address
-> that means the group could have per-device-mapping (have different members for various FortiGates)
-> I would double-check the group itself and see if per-device-mapping is enabled, and if that is the case then check the group members that are configured for the specific FortiGate/Policy Package you're looking at
Thanks @Debbie_FTNT I just checked the group and indeed it uses Per Device mapping, I added the object there, pushed the policy and it reflected on the FGT,
Thanks guys for all the help. This is a good start for the week and I hope everyone is doing ok.
Jeff
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1647 | |
1070 | |
751 | |
443 | |
214 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.