Hello,
I tried to set a new Global policy package (or even edit the default one) and I noticed that FMG did not give me any option to set the CNAT policy (the Admin Guide says that it should). Then I created a policy package inside a certain ADOM, but when I changed that CNAT settings, I got the error "Global adom package CNAT is not consistent with local adom package CNAT"
I got a similar error when tried to change the inspection mode from flow to proxy.
Do you know how can I set the NAT or the inspection mode, so that there is no conflict between the Global ADOM and a certain ADOM? Furthermore, when I have multiple ADOMs, others with CNAT, others without CNAT, others in proxy mode, others in flow mode, how can I coordinate each ADOM settings with the Global ADOM settings?
Finally, it seems that in FMG 5.6 the Global ADOM refers to 5.6 also. Can we have multiple Global ADOMs, each one for every f/w version? Does this functionality make any sense at all?
Thanks
Andreas
Solved! Go to Solution.
> I got the error "Global adom package CNAT is not consistent with local adom package CNAT"
Currently, central NAT cannot be used with global policy packages (at the global level) as you discovered. Consequently, central NAT should not be enabled in any ADOMs to which global policy packages will be assigned.
> Finally, it seems that in FMG 5.6 the Global ADOM refers to 5.6 also. Can we have multiple Global ADOMs, each one for every f/w version? Does this functionality make any sense at all?
In FMG 5.6.1, global version 5.4 can support ADOMs with versions 5.4 & 5.6. There is only ever 1 global "ADOM". Global version 5.6 will ONLY support ADOMs with version 5.6
Hey Team,
I would like to bring this point to your attention:
In FMG, using execute fmpolicy print-adom-package Global <package ID> 1103
Will show us ,for example,something like below:
+++++++++++++++++++++++++++++++++++++++++++++++++++++ config policy package settings set fwpolicy-implicit-log disable set fwpolicy6-implicit-log disable set checksum "1519420176-1929618009" set central-nat disable
set inspection-mode flow<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
set ngfw-mode profile-based set ssl-ssh-profile ""
end
+++++++++++++++++++++++++++++++++++++++++++++++++++++
In this example, I just created global policy rule and then I assigned it to the target ADOM .
It is complaining "Assigning global policy package default to adom TEST failed"
In order to modify the mode of global PP, I just created below scripts and ran it against the Global PP. Global ADOM--->Object Configuration--->Tools---> Display Options--->Advanced--->Scripts ((need to be selected))--->Create--->run(right Click)
++++++++++++++++++++++++++++++++++++++++++++++++ config policy package settings set inspection-mode proxy end ++++++++++++++++++++++++++++++++++++++++++++++++
Please see the results after running the scrips:
FMG-VM64 # execute fmpolicy print-adom-package Global 1166 1103 Dump all objects for category [policy package settings] in adom [Global] package [1166]: --------------- config policy package settings set fwpolicy-implicit-log disable set fwpolicy6-implicit-log disable set checksum "1519423955-254522136" set central-nat disable set inspection-mode proxy<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< set ngfw-mode profile-based set ssl-ssh-profile ""
end
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Let me know if you found this one useful.
Cheers
> I got the error "Global adom package CNAT is not consistent with local adom package CNAT"
Currently, central NAT cannot be used with global policy packages (at the global level) as you discovered. Consequently, central NAT should not be enabled in any ADOMs to which global policy packages will be assigned.
> Finally, it seems that in FMG 5.6 the Global ADOM refers to 5.6 also. Can we have multiple Global ADOMs, each one for every f/w version? Does this functionality make any sense at all?
In FMG 5.6.1, global version 5.4 can support ADOMs with versions 5.4 & 5.6. There is only ever 1 global "ADOM". Global version 5.6 will ONLY support ADOMs with version 5.6
> I noticed that FMG did not give me any option to set the CNAT policy (the Admin Guide says that it should).
Thanks for alerting us to this documentation error. We will correct it since global policy packages do not have this option.
Thanks a lot for your reply.
There is still one thing in your answer that needs to be confirmed: I understand that CNAT is not supported when global policy packages are used. Consequently, if we don't use global policy packages, then we can do CNAT, right? Otherwise this would mean that we cannot do policy mode and NAT with the FMG.
I noticed the same problem when trying to create a policy package in proxy inspection mode (Global adom package inspection mode is not consistent with local adom package inspection mode).
I'm totally confused about what is the inspection mode in the global ADOM and the rest ADOMs.I noticed the following inside the ADOM:
1. The policy package I imported from a device, appears to be in proxy inspection (and works fine, seems there is no conflict with the global database).
2. The default package for this ADOM appears to be in flow inspection.
3. All policy packages I create inside this ADOM cannot be in proxy mode.
4. When I unassign the ADOM from the global database, I can create proxy inspection policy packages inside the ADOM (it looks like the global database is in flow inspection mode and cannot be changed to proxy).
Can somebody explain me how the global database thing works in terms of inspection mode? What I have seen so far discourage me in using the global database...
Thanks
Hey Team,
I would like to bring this point to your attention:
In FMG, using execute fmpolicy print-adom-package Global <package ID> 1103
Will show us ,for example,something like below:
+++++++++++++++++++++++++++++++++++++++++++++++++++++ config policy package settings set fwpolicy-implicit-log disable set fwpolicy6-implicit-log disable set checksum "1519420176-1929618009" set central-nat disable
set inspection-mode flow<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
set ngfw-mode profile-based set ssl-ssh-profile ""
end
+++++++++++++++++++++++++++++++++++++++++++++++++++++
In this example, I just created global policy rule and then I assigned it to the target ADOM .
It is complaining "Assigning global policy package default to adom TEST failed"
In order to modify the mode of global PP, I just created below scripts and ran it against the Global PP. Global ADOM--->Object Configuration--->Tools---> Display Options--->Advanced--->Scripts ((need to be selected))--->Create--->run(right Click)
++++++++++++++++++++++++++++++++++++++++++++++++ config policy package settings set inspection-mode proxy end ++++++++++++++++++++++++++++++++++++++++++++++++
Please see the results after running the scrips:
FMG-VM64 # execute fmpolicy print-adom-package Global 1166 1103 Dump all objects for category [policy package settings] in adom [Global] package [1166]: --------------- config policy package settings set fwpolicy-implicit-log disable set fwpolicy6-implicit-log disable set checksum "1519423955-254522136" set central-nat disable set inspection-mode proxy<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< set ngfw-mode profile-based set ssl-ssh-profile ""
end
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Let me know if you found this one useful.
Cheers
Awesome, many thanks.
The script above helped
cheers
Helped me too! Thanks brazz.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.