FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
awasfi_FTNT
Staff
Staff
Article Id 195923

Description


This article describes how to check, verify and fix policy package different status.

 

Scope

 

FortiManager.

Solution


Compatibility between FortiManager and FortiGates has to be verified before adding the FortiGates to FortiManager or pushing any configuration from FortiManager.
Review the compatibility document which can be found on the following link under (FortiManager -> Release Information -> Compatibility).


The ADOM version is matching the managed FortiGates branch.
For example, if FortiGates running v6.0.x Firmware version, it has to be added to v6.0 ADOM.
 
ADOM version can be verified from GUI or CLI:

GUI:

 
 
CLI:
 
diagnose  dvm adom list
There are currently 18 ADOMs:
OID      STATE    PRODUCT OSVER MR  NAME                MODE    VPN MANAGEMENT        IPS                                                
192      enabled  FOS     6.0   0   6_0_ADOM            Normal  Policy & Device VPNs  15.763                                             
108      enabled  FAZ     6.0   0   FortiAnalyzer       Normal  Policy & Device VPNs  15.763                                             
124      enabled  FAC     5.0   5   FortiAuthenticator  Normal  Policy & Device VPNs  15.763                                             
112      enabled  FCH     4.0   2   FortiCache          Normal  Policy & Device VPNs  0.0                                                
104      enabled  FOC     6.0   0   FortiCarrier        Normal  Policy & Device VPNs  15.763                                             
114      enabled  FCT     6.0   0   FortiClient         Normal  Policy & Device VPNs  15.763                                             
122      enabled  FDD     5.0   0   FortiDDoS           Normal  Policy & Device VPNs  15.763                                             
106      enabled  FML     6.0   0   FortiMail           Normal  Policy & Device VPNs  15.763                                             
118      enabled  FMG     6.0   0   FortiManager        Normal  Policy & Device VPNs  15.763                                             
167      enabled  unknown 8.0   4   FortiNAC            Normal  Policy & Device VPNs  0.0                                                
126      enabled  FPX     1.0   1   FortiProxy          Normal  Policy & Device VPNs  0.0                                                
120      enabled  FSA     3.0   0   FortiSandbox        Normal  Policy & Device VPNs  0.0                                                
110      enabled  FWB     6.0   0   FortiWeb            Normal  Policy & Device VPNs  15.763                                             
116      enabled  LOG     0.0   0   Syslog              Normal  Policy & Device VPNs  15.763                                             
102      enabled  Chassis 6.0   0   Chassis             Normal  Policy & Device VPNs  15.763                                             
3        enabled  FOS     6.0   0   root                Normal  Central VPN Console   15.763                                             
10       enabled  FOS     6.0   0   Global              Normal  Policy & Device VPNs  15.763                                             
---End ADOM list---
 
Make sure the connection between FortiManager and FortiGate is UP.
If the connection is down, installing the policy package will fail.
 
The following debug can be used to check the connection from FortiManager CLI:
 
diagnose  debug  application  fgfmsd -1
 
Example:
diagnose  debug  reset
diagnose  debug  application  fgfmsd -1

fgfmsd debug filter:    disable
diagnose  debug  enable
FMG # __start_tunnel_by_devlist,328: devid=194, admin=admin.
FGFMs(probing...): Create session 0x7f375bea9800.
FGFMs(FGVM01TM19001092-194-10.10.10.10): Connect to 10.10.10.10, local 10.10.10.50.
FGFMs: Load Cipher [HIGH:-NULL:-aNULL:@STRENGTH]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Connection was interrupted. sockevents[4] sslerr[0]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Cleanup session 0x7f375bea9800, 10.10.10.10.
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Destroy session 0x7f375bea9800, 10.10.10.10.
 
In this case, fixing the connection between FortiGate and FortiManager before pushing any configuration or policy package to FortiGate in order to maintain a proper policy package status is needed.
 
After all the above is verified and units are added to FortiManager, while importing the policy package for the first time, the import wizard options either import all policies and objects or import selected policies and objects used by the policies.
 
  
The default is importing all policies and only policy dependents objects.
However, if import all objects is chosen, next time when installing the policy package, FortiManager will install policies used objects only and will remove any unused object from FortiGate (such as unused addresses and services).

At the end of the import wizard, verify that the import task is successful by checking the import summary:
 
 
If any objects or policies are not imported, download the import summary and check which 'objects/policies not imported'.
 
The policy package status can be one of the following:
 
  1. Imported: A policy package has been imported from FortiGate and a green checkmark is shown.
 
 
  1. Modified: Changes have been made to the policy package on FortiManager and not installed yet to the FortiGate(s):

    Install the policy package changes to the FortiGate(s) will sync the package again.
 
 
  1. Out-of-sync: changes have been made on the FortiGate directly to the policies.

    In this case, one of the following can be done:

  • Install to sync the policy package again (if the FortiManager policy package is the most updated and it is the one that the user wants to keep).
  • A manual Import Policy step is required to import the device database firewall policy and object changes into the ADOM database (if the FortiGate policies and objects are the most updated).
 
 
  1. Installed: The policy package has been installed in the FortiGate(s).
 
 
  1. Never Installed: There is no policy package for this unit.

    Either policies and objects have not been imported yet or no policy package has been assigned for this unit.
 
 
  1. Conflict: Changes have been made to the policies or policy objects on both sides (FortiGate and FortiManager):

    A manual import policy or install operation has to be performed to remove the Conflict status.
 
 
  1. Unknown: FortiManager is unable to determine whether the retrieved Fortigate configuration changes concerned firewall policies or objects. This occurs when the policy package and configuration are changed on both sides and the configuration is retrieved after.

    An install or import policy operation will be required to synchronize the policy package database with the unit manager one.
 
 
Conclusion.

FortiManager has two databases:
 
  1. Device Database: all configuration that can be seen under 'Device Manager'.
  2. ADOM Database: all configuration that can be seen under 'Policy & Objects'.

Note:
Not all configuration options are available on the GUI by default and need to be applied from the Tools -> Display Options menu, which can be found under each section.
  
 
Some other options will be configured only under 'CLI Configuration' or under 'CLI Only Objects', which can be enabled under each section from Tools -> Display Options.
 
  • All configuration is saved in the device DB, only the policy & objects config has to be copied to the ADOM DB.
  • If the configuration is changed on FortiGate directly while managed by FortiManager, the configuration will be updated automatically on the FortiManager device DB, and the config status will show as 'auto-updated'.

    There is
    no need to do perform actions on FortiManager as these are saved to the unit DB on FortiManager automatically.
  • However, if the configuration is changed on a policy or an object on FortiGate directly, it is necessary to import the policy package again to update the FortiManager ADOM DB with the new changes.
  • The configuration is pushed from FortiGate to FortiManager device DB, while policies and objects have to be pushed from device DB to ADOM DB by importing.
    Otherwise, if changes related to policy and objects have been made on FortiGate directly, followed policy and objects changes on FortiManager then installation performed then old configuration which added directly to the FortiGate will be replaced by the installation process as FortiGates are not in FortiManager ADOM DB.
  • As long as configuration changes are made on FortiManager, it will NOT be installed on FortiGates automatically. The configuration will be pushed to the FortiGates only after the install action is performed from FortiManager.
  • Under the device manager, there are two columns: config status and policy package status.
  • If the green checkmark is visible under config status, regardless of synchronized or auto-update, the FortiManager device DB matches the FortiGate configuration. If the configuration differs, an install or retrieve is required to get back to the correct status, depending on which configuration is the most accurate and up-to-date.
  • If the green checkmark is visible under policy package status, it means the FortiManager device DB matches FortiGate ADOM DB. If they differ, an install or import is required to get back to the correct status, depending on which configuration is the most accurate and up-to-date.

 

Related documents: