Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Prevent local address objects from being overw...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prevent local address objects from being overwritten
Hi
We have a Fortigate that is managed by Fortimanager. We want to block the large number of random IPs that are attempting to login to our SSL VPN.
I have created an automation stitch to dynamically create address objects and put these in to an address group, which is then referenced in the local-in policy. The local-in policy is created on Fortimanager because if it was create locally on the Fortigate, it would get overwritten.
I now have a similar issue with the address objects and group created by the automation stitch. Each time I install policy, it overwrites the group and removes the address objects, since these don't exist on Fortimanager.
So, is it possible to prevent local address objects from getting overwritten by Fortimanager? If so, how do I do this?
Thanks
Roy
Labels:
- Labels:
-
FortiGate
-
FortiManager
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello rsm,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again Roy,
I found this solution. Can you tell us if it helps, please?
To prevent local address objects from being overwritten by FortiManager, you can follow these steps:
-
Reference Objects in Policies: Ensure that the address objects and groups created by the automation stitch are referenced in a policy or rule on FortiManager. FortiManager only installs objects that are referenced in policies. If they are not referenced, they will be removed during the installation process.
-
Use Per-Device Mapping: Utilize per-device mapping in FortiManager to manage specific configurations for individual FortiGate devices. This allows you to maintain certain configurations locally on the FortiGate without them being overwritten by FortiManager.
-
Exclude Objects from Synchronization: If possible, configure FortiManager to exclude certain objects from synchronization. This can be done by adjusting the synchronization settings to ignore specific local objects.
-
Manual Synchronization: After making changes locally on the FortiGate, manually synchronize the configuration with FortiManager to ensure that the local changes are recognized and preserved.
-
Custom Scripts: Consider using custom scripts or automation to reapply the local configurations after a policy installation from FortiManager.
By following these steps, you can manage local address objects and prevent them from being overwritten by FortiManager.
Regards,
Jean-Philippe - Fortinet Community Team
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to add to what Jean-Philippe_P mentioned:
When the automation stitch updates the objects on the FGT directly, that change is autoupdated in FMG device db (Device Manager will show: Auto Update for the FGT in question) at that time you can Import the config to update the addrgrp in ADOM DB, so the next time when you install the policies via FMG it will NOT overwrite the addrgrp.
FA
Created on 11-28-2025 05:25 PM Edited on 11-28-2025 05:28 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yea, the problem is the update by automation stitch could happen any moment based on the @rsm's description. So probaly email notification or something needs to be added to the stitch to let somebody know the DB change happened so that a human intervention/manual operation can import the updated objects can be imported to the policy package side.
Can't this part be done by something on the FMG side automatically? If that's possible, that would help many other situations as well.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True, email notification can help in this situation.
But - unfortunately - as of now I think there is no mechanism to do auto Import.
A possible solution would be to use API (Postman or Ansible playbook) which will check the status of the Config, if its 'Auto Update' then run the next API request to do the Import.
- Checkout the attached Postman Collection. Set the required variables (FMG IP, credentials, ADOM name, FGT Name, vdom name) and run the Collection.
- Then I think you can set some sort of auto run timer to run this every few minutes.
The workflow's logic is:
-
1. Retrieve Timestamps: The workflow queries the FMG for two key times, converting both to Unix Timestamps (UTC):
-
Last Task End Time: The completion time of the last successful configuration import.
-
Latest Revision Time: The time the FGT's most recent change was recorded by the FMG.
-
-
2. Apply Condition: It checks if the Last Task End Time is older than the Latest Revision Time.
Last Task End Time < Latest Revision Time -
3. Determine Action:
-
If TRUE: Meaning there is new autoupdate - The workflow proceeds to run the Import Config query.
-
If FALSE: Meaning the import timestamp is after the autoupdate - The workflow stops.
-
You can take this further: to check if the autoupdate change is only for the address object, only then run the import config query.
FA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+ This type of automation becomes easy if you have FortiSOAR :)
FA
Labels
-
FortiGate
10,946 -
FortiClient
2,247 -
FortiManager
921 -
FortiAnalyzer
700 -
5.2
687 -
5.4
638 -
FortiSwitch
605 -
FortiClient EMS
600 -
FortiAP
576 -
IPsec
466 -
6.0
416 -
SSL-VPN
402 -
FortiMail
386 -
5.6
362 -
FortiNAC
314 -
FortiWeb
262 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
212 -
FortiAuthenticator
192 -
FortiGuard
163 -
5.0
152 -
Firewall policy
152 -
FortiGate-VM
151 -
6.4
128 -
FortiCloud Products
122 -
FortiSIEM
115 -
FortiToken
115 -
FortiGateCloud
113 -
Wireless Controller
97 -
High Availability
94 -
Customer Service
90 -
Routing
83 -
SAML
82 -
ZTNA
82 -
FortiProxy
80 -
BGP
75 -
VLAN
75 -
Authentication
74 -
Fortivoice
73 -
DNS
73 -
Certificate
73 -
FortiEDR
72 -
FortiADC
70 -
RADIUS
67 -
LDAP
65 -
SSO
60 -
FortiLink
60 -
FortiSandbox
57 -
NAT
57 -
FortiExtender
53 -
Interface
51 -
Application control
51 -
VDOM
50 -
4.0MR3
49 -
Virtual IP
47 -
Logging
44 -
FortiDNS
43 -
SSL SSH inspection
42 -
FortiPAM
39 -
Web profile
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiConnect
36 -
Automation
35 -
FortiWAN
32 -
FortiConverter
31 -
API
30 -
FortiGate v5.2
28 -
Traffic shaping
28 -
Fortigate Cloud
27 -
SSID
26 -
Static route
26 -
SNMP
25 -
System settings
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
OSPF
22 -
WAN optimization
22 -
FortiMonitor
21 -
Web application firewall profile
21 -
Web rating
20 -
Security profile
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
18 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
Users
14 -
Traffic shaping policy
14 -
FortiManager v5.0
13 -
DNS filter
13 -
FortiDeceptor
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Traffic shaping profile
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
Vulnerability Management
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Service
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2808 | |
| 1427 | |
| 812 | |
| 769 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.