I understand that (almost?) everything should be configured and deployed via FortiManager for any devices that are managed.
Are there any configuration elements that cannot be done through FortiManager and must be done independently at the device level?
Specifically ... I have a device that cannot connect to FortiAuthenticator, so I have to log in using local credentials. I'm pretty sure the problem is that I need to set a source-ip for the RADIUS connection via CLI:
config user radius
edit "<authentication string>"
set source-ip 192.168.100.1
Of course when I log into the remote device locally and open the CLI, I get the message that "changes will cause this device to be out of sync with FortiManager."
I guess I have four questions:
1. Can this setting for an individual device (that is part of an ADOM with other devices) be set via FortiManager?
2. If so, how?
3. If it cannot be set via FortiManager and I set it on the device itself, will it cause any "out of sync" issues?
4. Are there any configuration elements that can/must be set on the device and not through FortiManager?
I'm just trying to understand if the warning that "this will cause the device to be out of sync" means that I should never EVER change anything locally, or if that's more of a "yes, it can be done, but you need to know what you are doing first" kind of message.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you use CLI templates/template group, you can configure basically anything on a FGT by pushing them.
On the other hand, If you don't use any templates, a policy package and other "manager" like AP Manager, VPN Manager, etc., you can configure everything directly at the device then let FMG to pull the config changes automatically and keep the config "revisions". That one extream way of using FMG.
But most people do somewhere inbetween, some config is regulated by templates and policy packages at least, especially like retail chain customers who has almost the same config for many locations and only subnets are different.
But not regulated part can be configured directly because it's much faster than using "scripts" from FMG, like circuit/interface setting, DHCP or PPPoE or static, username/password got changed, or GW IP got changed, etc.
Or just for test/troubleshooting purpose, you might change them temporarily before the final change is made.
That's how we do our business with FMG. The warning is just a warning I always ignore it but very consciously making those changes at the device what would happen after that at FMG like the templates and policy package might go out of sync and need to get them re-synced.
Toshi
If you use CLI templates/template group, you can configure basically anything on a FGT by pushing them.
On the other hand, If you don't use any templates, a policy package and other "manager" like AP Manager, VPN Manager, etc., you can configure everything directly at the device then let FMG to pull the config changes automatically and keep the config "revisions". That one extream way of using FMG.
But most people do somewhere inbetween, some config is regulated by templates and policy packages at least, especially like retail chain customers who has almost the same config for many locations and only subnets are different.
But not regulated part can be configured directly because it's much faster than using "scripts" from FMG, like circuit/interface setting, DHCP or PPPoE or static, username/password got changed, or GW IP got changed, etc.
Or just for test/troubleshooting purpose, you might change them temporarily before the final change is made.
That's how we do our business with FMG. The warning is just a warning I always ignore it but very consciously making those changes at the device what would happen after that at FMG like the templates and policy package might go out of sync and need to get them re-synced.
Toshi
Good to know, thank you.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.