Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
awasfi_FTNT
Staff
Staff

Created on ‎03-05-2020 02:10 AM Edited on ‎04-02-2025 02:37 AM By Moderator

Article Id 195923

Technical Tip: FortiManager policy package installation and configuration synchronization

Description


This article describes how to check, verify and fix policy package different status.

 

Scope

 

FortiManager.

Solution


Compatibility between FortiManager and FortiGates has to be verified using the compatibility tool before adding the FortiGates to FortiManager or pushing any configuration from FortiManager.
Review the compatibility document, which can be found on the following link under (FortiManager -> Release Information -> Compatibility).

The ADOM version matches the managed FortiGates branch.
For example, if FortiGates is running v6.0.x Firmware version, it has to be added to v6.0 ADOM.

ADOM version can be verified from GUI or CLI:

GUI:

 
CLI:
 
diagnose  dvm adom list
There are currently 18 ADOMs:
OID      STATE    PRODUCT OSVER MR  NAME                MODE    VPN MANAGEMENT        IPS                                                
192      enabled  FOS     6.0   0   6_0_ADOM            Normal  Policy & Device VPNs  15.763                                             
108      enabled  FAZ     6.0   0   FortiAnalyzer       Normal  Policy & Device VPNs  15.763                                             
124      enabled  FAC     5.0   5   FortiAuthenticator  Normal  Policy & Device VPNs  15.763                                             
112      enabled  FCH     4.0   2   FortiCache          Normal  Policy & Device VPNs  0.0                                                
104      enabled  FOC     6.0   0   FortiCarrier        Normal  Policy & Device VPNs  15.763                                             
114      enabled  FCT     6.0   0   FortiClient         Normal  Policy & Device VPNs  15.763                                             
122      enabled  FDD     5.0   0   FortiDDoS           Normal  Policy & Device VPNs  15.763                                             
106      enabled  FML     6.0   0   FortiMail           Normal  Policy & Device VPNs  15.763                                             
118      enabled  FMG     6.0   0   FortiManager        Normal  Policy & Device VPNs  15.763                                             
167      enabled  unknown 8.0   4   FortiNAC            Normal  Policy & Device VPNs  0.0                                                
126      enabled  FPX     1.0   1   FortiProxy          Normal  Policy & Device VPNs  0.0                                                
120      enabled  FSA     3.0   0   FortiSandbox        Normal  Policy & Device VPNs  0.0                                                
110      enabled  FWB     6.0   0   FortiWeb            Normal  Policy & Device VPNs  15.763                                             
116      enabled  LOG     0.0   0   Syslog              Normal  Policy & Device VPNs  15.763                                             
102      enabled  Chassis 6.0   0   Chassis             Normal  Policy & Device VPNs  15.763                                             
3        enabled  FOS     6.0   0   root                Normal  Central VPN Console   15.763                                             
10       enabled  FOS     6.0   0   Global              Normal  Policy & Device VPNs  15.763                                             
---End ADOM list---
 
Make sure the connection between FortiManager and FortiGate is UP.
If the connection is down, installing the policy package will fail.
 
The following debug can be used to check the connection from FortiManager CLI:
 
diagnose  debug  application  fgfmsd -1
 
Example:
 
diagnose  debug  reset
diagnose  debug  application  fgfmsd -1
fgfmsd debug filter:    disable
diagnose  debug  enable
FMG # __start_tunnel_by_devlist,328: devid=194, admin=admin.
FGFMs(probing...): Create session 0x7f375bea9800.
FGFMs(FGVM01TM19001092-194-10.10.10.10): Connect to 10.10.10.10, local 10.10.10.50.
FGFMs: Load Cipher [HIGH:-NULL:-aNULL:@STRENGTH]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Connection was interrupted. sockevents[4] sslerr[0]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Cleanup session 0x7f375bea9800, 10.10.10.10.
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Destroy session 0x7f375bea9800, 10.10.10.10.
 
In this case, fixing the connection between FortiGate and FortiManager before pushing any configuration or policy package to FortiGate to maintain a proper policy package status is needed.
 
After all the above is verified and units are added to FortiManager, while importing the policy package for the first time, the import wizard options either import all policies and objects or import selected policies and objects used by the policies.
 
  
The default is importing all policies and only policy-dependent objects.
However, if import all objects is chosen, next time when installing the policy package, FortiManager will install policies used objects only and will remove any unused object from FortiGate (such as unused addresses and services).

At the end of the import wizard, verify that the import task is successful by checking the import summary:
 
 

Note: If an AP Manager and/or FortiSwitch Manager is being used for managing FortiAPs and FortiSwitches within FortiManager, the configuration will not be imported from FortiGates when only the policy package is imported. To ensure the correct configuration imported from the devices and FortiManager database is up-to-date, make sure to select Import AP Profile or FortiSwitch Templates during the import process.

 

import.jpg

The policy package status can be one of the following:
 
  1. Imported: A policy package has been imported from FortiGate, and a green checkmark is shown.
 
 
  1. Modified: Changes have been made to the policy package on FortiManager and not yet installed to the FortiGate(s):
    Install the policy package changes to the FortiGate(s) and sync the package again.
 
 
  1. Out-of-sync: changes have been made on the FortiGate directly to the policies.
    In this case, one of the following can be done:

  • Install to sync the policy package again (if the FortiManager policy package is the most updated and it is the one that the user wants to keep).
  • A manual Import Policy step is required to import the device database firewall policy and object changes into the ADOM database (if the FortiGate policies and objects are the most updated).
 
 
  1. Installed: The policy package has been installed in the FortiGate(s).
 
 
  1. Never Installed: There is no policy package for this unit.
    Either policies and objects have not been imported yet, or no policy package has been assigned for this unit.
 
 
  1. Conflict: Changes have been made to the policies or policy objects on both sides (FortiGate and FortiManager):
    A manual import policy or install operation has to be performed to remove the Conflict status.
 
 
  1. Unknown: FortiManager is unable to determine whether the retrieved FortiGate configuration changes concerned firewall policies or objects. This occurs when the policy package and configuration are changed on both sides, and the configuration is retrieved after.

    An install or import policy operation will be required to synchronize the policy package database with the unit manager.
 
 
Conclusion.

FortiManager has two databases:
 
  1. Device Database: all configurations that can be seen under 'Device Manager'.
  2. ADOM Database: all configurations that can be seen under 'Policy & Objects'.

Note:
Not all configuration options are available on the GUI by default and need to be applied from the Tools -> Display Options menu, which can be found under each section.
  
 
Some other options will be configured only under 'CLI Configuration' or under 'CLI Only Objects', which can be enabled under each section from Tools -> Display Options.
 
  • All configuration is saved in the device DB, only the policy & objects config has to be copied to the ADOM DB.
  • If the configuration is changed on FortiGate directly while managed by FortiManager, the configuration will be updated automatically on the FortiManager device DB, and the config status will show as 'auto-updated'.
    There is     no need to do perform actions on FortiManager as these are saved to the unit database on FortiManager automatically.
  • However, if the configuration is changed on a policy or an object on FortiGate directly, it is necessary to import the policy package again to update the FortiManager ADOM database with the new changes.
  • The configuration is pushed from FortiGate to the FortiManager device database, while policies and objects have to be pushed from the device database to ADOM database by importing.
    Otherwise, if changes related to policy and objects have been made on FortiGate directly, followed policy and objects changes on FortiManager then installation performed then old configuration which added directly to the FortiGate will be replaced by the installation process as FortiGates are not in FortiManager ADOM database.
  • As long as configuration changes are made on FortiManager, it will not be installed on FortiGates automatically. The configuration will be pushed to the FortiGates only after the install action is performed from FortiManager.
  • Under the device manager, there are two columns: config status and policy package status.
  • If the green checkmark is visible under config status, regardless of synchronized or auto-update, the FortiManager device database matches the FortiGate configuration. If the configuration differs, an install or retrieve is required to get back to the correct status, depending on which configuration is the most accurate and up-to-date.
  • If the green checkmark is visible under the policy package status, it means the FortiManager device database matches the FortiGate ADOM database. If they differ, an install or import is required to get back to the correct status, depending on which configuration is the most accurate and up-to-date.

 

Related articles:

Technical Tip: How to troubleshoot the 'copy' error while install Policy

Techincal Tip: How to fix synchronization issue in FortiManager

Technical Tip: Configuration import from the device to the ADOM DB / Policy & Objects

Troubleshooting Tip: FortiGate is Out-of-sync in the Device Manager

Labels:
63766
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.