Description
This article describes how to check, verify and fix policy package different status.
Solution
Compatibility between FortiManager and FortiGates has to be verified before adding the FortiGates to FortiManager or pushing any configuration from FortiManager.
Review the compatibility document which can be found on the following link under (FortiManager -> Release Information -> Compatibility).
The ADOM version is matching the managed FortiGates branch.
For example, if FortiGates running v6.0.x Firmware version, it has to be added to v6.0 ADOM.
ADOM version can be verified from GUI or CLI:
GUI.
CLI.
# diagnose dvm adom list
There are currently 18 ADOMs:
OID STATE PRODUCT OSVER MR NAME MODE VPN MANAGEMENT IPS
192 enabled FOS 6.0 0 6_0_ADOM Normal Policy & Device VPNs 15.763
108 enabled FAZ 6.0 0 FortiAnalyzer Normal Policy & Device VPNs 15.763
124 enabled FAC 5.0 5 FortiAuthenticator Normal Policy & Device VPNs 15.763
112 enabled FCH 4.0 2 FortiCache Normal Policy & Device VPNs 0.0
104 enabled FOC 6.0 0 FortiCarrier Normal Policy & Device VPNs 15.763
114 enabled FCT 6.0 0 FortiClient Normal Policy & Device VPNs 15.763
122 enabled FDD 5.0 0 FortiDDoS Normal Policy & Device VPNs 15.763
106 enabled FML 6.0 0 FortiMail Normal Policy & Device VPNs 15.763
118 enabled FMG 6.0 0 FortiManager Normal Policy & Device VPNs 15.763
167 enabled unknown 8.0 4 FortiNAC Normal Policy & Device VPNs 0.0
126 enabled FPX 1.0 1 FortiProxy Normal Policy & Device VPNs 0.0
120 enabled FSA 3.0 0 FortiSandbox Normal Policy & Device VPNs 0.0
110 enabled FWB 6.0 0 FortiWeb Normal Policy & Device VPNs 15.763
116 enabled LOG 0.0 0 Syslog Normal Policy & Device VPNs 15.763
102 enabled Chassis 6.0 0 Chassis Normal Policy & Device VPNs 15.763
3 enabled FOS 6.0 0 root Normal Central VPN Console 15.763
10 enabled FOS 6.0 0 Global Normal Policy & Device VPNs 15.763
---End ADOM list---
There are currently 18 ADOMs:
OID STATE PRODUCT OSVER MR NAME MODE VPN MANAGEMENT IPS
192 enabled FOS 6.0 0 6_0_ADOM Normal Policy & Device VPNs 15.763
108 enabled FAZ 6.0 0 FortiAnalyzer Normal Policy & Device VPNs 15.763
124 enabled FAC 5.0 5 FortiAuthenticator Normal Policy & Device VPNs 15.763
112 enabled FCH 4.0 2 FortiCache Normal Policy & Device VPNs 0.0
104 enabled FOC 6.0 0 FortiCarrier Normal Policy & Device VPNs 15.763
114 enabled FCT 6.0 0 FortiClient Normal Policy & Device VPNs 15.763
122 enabled FDD 5.0 0 FortiDDoS Normal Policy & Device VPNs 15.763
106 enabled FML 6.0 0 FortiMail Normal Policy & Device VPNs 15.763
118 enabled FMG 6.0 0 FortiManager Normal Policy & Device VPNs 15.763
167 enabled unknown 8.0 4 FortiNAC Normal Policy & Device VPNs 0.0
126 enabled FPX 1.0 1 FortiProxy Normal Policy & Device VPNs 0.0
120 enabled FSA 3.0 0 FortiSandbox Normal Policy & Device VPNs 0.0
110 enabled FWB 6.0 0 FortiWeb Normal Policy & Device VPNs 15.763
116 enabled LOG 0.0 0 Syslog Normal Policy & Device VPNs 15.763
102 enabled Chassis 6.0 0 Chassis Normal Policy & Device VPNs 15.763
3 enabled FOS 6.0 0 root Normal Central VPN Console 15.763
10 enabled FOS 6.0 0 Global Normal Policy & Device VPNs 15.763
---End ADOM list---
Make sure the connection between FortiManager and FortiGate is UP.
If the connection is down, installing policy package will fail.
The following debug can be used to check the connection from FortiManager CLI:
# diagnose debug application fgfmsd -1
Example:
# diagnose debug reset
# diagnose debug application fgfmsd -1
fgfmsd debug filter: disable
# diagnose debug enable
# diagnose debug application fgfmsd -1
fgfmsd debug filter: disable
# diagnose debug enable
FMG # __start_tunnel_by_devlist,328: devid=194, admin=admin.
FGFMs(probing...): Create session 0x7f375bea9800.
FGFMs(FGVM01TM19001092-194-10.10.10.10): Connect to 10.10.10.10, local 10.10.10.50.
FGFMs: Load Cipher [HIGH:-NULL:-aNULL:@STRENGTH]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Connection was interrupted. sockevents[4] sslerr[0]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Cleanup session 0x7f375bea9800, 10.10.10.10.
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Destroy session 0x7f375bea9800, 10.10.10.10.
FGFMs(probing...): Create session 0x7f375bea9800.
FGFMs(FGVM01TM19001092-194-10.10.10.10): Connect to 10.10.10.10, local 10.10.10.50.
FGFMs: Load Cipher [HIGH:-NULL:-aNULL:@STRENGTH]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Connection was interrupted. sockevents[4] sslerr[0]
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Cleanup session 0x7f375bea9800, 10.10.10.10.
FGFMs(FGVM01TM19-----2-194-10.10.10.10): Destroy session 0x7f375bea9800, 10.10.10.10.
In this case, fixing the connection between FortiGate and FortiManager before pushing any configuration or policy package to FortiGate in order to maintain a proper policy package status is needed.
After all the above is verified and units are added to FortiManager, while importing the policy package for the first time, the import wizard options either import all policies and objects or import selected policies and objects used by the policies.
The default is importing all policies and only policy dependents objects.
However, if import all objects is chosen, next time when installing the policy package, FortiManager will install policies used objects only and will remove any unused object from FortiGate (such as unused addresses and services).
At the end of the import wizard, verify that the import task is successful by checking the import summary:
At the end of the import wizard, verify that the import task is successful by checking the import summary:
If any objects or policies are not imported, download the import summary and check which 'objects/policies not imported'.
Policy package status can be one of the following.
1) Imported: Policy package imported from FortiGate and has a green checkmark.
1) Imported: Policy package imported from FortiGate and has a green checkmark.
2) Modified: Changes has been made to the policy package on FortiManager and not installed yet to the FortiGate(s):
Install the policy package changes to the FortiGate(s) will sync the package again.
3) Out-of-sync: changes have been made on the FortiGate directly to the policies.
In this case, one of the following can be done:
- Install to sync the policy package again (if the FortiManager policy package is the most updated and it is the one that the user wants to keep).
- A manual Import Policy step is required to import the device database firewall policy and object changes into the ADOM database (if the FortiGate policies and objects are the most updated).
- Install to sync the policy package again (if the FortiManager policy package is the most updated and it is the one that the user wants to keep).
- A manual Import Policy step is required to import the device database firewall policy and object changes into the ADOM database (if the FortiGate policies and objects are the most updated).
4) Installed: The policy package has been installed in the FortiGate(s).
5) Never Installed: There is no policy package for this unit.
Either policies and objects have not been imported yet or no policy package assigned for this unit.
6) Conflict: Changes have been made to the policies or policies objects on both sides (FortiGate and FortiManager):
A manual import policy or install operation has to be performed to remove the Conflict status.
7) Unknown: FortiManager is unable to determine whether the retrieved Fortigate configuration changes concerned firewall policies or objects, this is happening when the policy package and configuration change on both sides then the configuration is retrieved:
An install or import policy operation will be required to synchronize the policy package database with the unit manager one.
An install or import policy operation will be required to synchronize the policy package database with the unit manager one.
Conclusion.
FortiManager has two databases:
1) Device Database: all configuration that can be done under the 'Device Manager'.
FortiManager has two databases:
1) Device Database: all configuration that can be done under the 'Device Manager'.
2) ADOM Database: all configuration that can be done under the 'Policy & Objects'.
Note:
Note:
Not all configuration options available on GUI by default and need to be applied from the Tools -> Display Options menu which can be found under each section.
Some other options will be configured only under 'CLI Configuration' or under 'CLI Only Objects', which can be enabled under each section from Tools -> Display Options.
- All configuration is saved in device DB, only policy & objects config has to be copied to ADOM DB.
- If the configuration is changed on FortiGate directly while managed by FortiManager, the configuration will be updated automatically on the FortiManager device DB, and the config status will show as 'auto-updated'.
- All configuration is saved in device DB, only policy & objects config has to be copied to ADOM DB.
- If the configuration is changed on FortiGate directly while managed by FortiManager, the configuration will be updated automatically on the FortiManager device DB, and the config status will show as 'auto-updated'.
So, no need to do any actions on FortiManager as there are saved to the unit DB on FortiManager automatically.
- However, if the configuration is changed on a policy or an object on FortiGate directly, it is necessary to import the policy package again to update the FortiManager ADOM DB with the new changes.
- The configuration is pushed from FortiGate to FortiManager device DB, while policies and objects have to be pushed from device DB to ADOM DB by importing.
- However, if the configuration is changed on a policy or an object on FortiGate directly, it is necessary to import the policy package again to update the FortiManager ADOM DB with the new changes.
- The configuration is pushed from FortiGate to FortiManager device DB, while policies and objects have to be pushed from device DB to ADOM DB by importing.
Otherwise, if changes related to policy and objects have been made on FortiGate directly, followed policy and objects changes on FortiManager then installation performed then old configuration which added directly to the FortiGate will be replaced by the installation process as FortiGates are not in FortiManager ADOM DB.
- As long as configuration changes are made on FortiManager, it will NOT be installed on FortiGates automatically.
- As long as configuration changes are made on FortiManager, it will NOT be installed on FortiGates automatically.
The configuration will be pushed to the FortiGates only after the install action is performed from FortiManager.
- Under device manager, there are two columns: config status and policy package status.
- If the green checkmark is visible under config status, regardless of synchronized or auto-update, then FortiManager device DB matches FortiGate configuration.
- Under device manager, there are two columns: config status and policy package status.
- If the green checkmark is visible under config status, regardless of synchronized or auto-update, then FortiManager device DB matches FortiGate configuration.
If different, an install or retrieve required to get back to the correct status, depending on which configuration is most updated and correct.
- If the green checkmark is visible under policy package status, it means FortiManager device DB matches FortiGate ADOM DB.
- If the green checkmark is visible under policy package status, it means FortiManager device DB matches FortiGate ADOM DB.
If different, then an install or import required to get back to the correct status depends on which configuration is most updated and correct.
Related documents:
Technical Tip: How to troubleshoot the 'copy' error while install Policy
Techincal Tip: How to fix synchronization issue in FortiManager
