Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
echida
New Contributor

FortiManager - Push multiple policy packages at the same time

Hello guys,

I tried to research the info but I can't find it. Hope you have the answer.

Context : I have one policy package per Fortigate. For exemple, 10 fortigate so 10 policy package. In each policy package, I have some blacklist policies with the same group objects. If I update the group, it will change the policy package state of all devices, which is the normal behaviour. My issue is that I have to install one by one each policy package and I can't find a way to push every thing at the same time.

So my question : is it possible to do it or is there an option to enable ?

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor II

I don't think you can install multiple packages or even just choose them at a time. It's one by one.
If you want to make the selection one time then install all at the same time, you need to combine those packages into one by using normalized interfaces - commonalized interface names, dynamic objects - like changing an IP subnet/address per device with one name, and "Install On" per policy - you can specify what devices that particular policy should be installed.

 

Toshi

amouawad
Staff
Staff

There is a way to push multiple policy packages at the same time.

 

In the below example I have Branch1/2/3 using the BRANCHES policy package and Branch4 using the BRANCHES-SW-AP package. As you can see they have all had changes made that need to be pushed to the FGTs.

 

So you select/tick all the FGTs you want to install the new updates to, and select Install > Re-install Policy:

2022-05-01_18-52.png

 

After that you'll see the install page which will let you preview what will be installed. Just select Next:

2022-05-01_18-52_1.png

 

Now the policies for both policy packages will be installed in their relevant FGTs:

2022-05-01_18-52_2.png

 

Once finished if everything went fine you should get OK status for all:

2022-05-01_18-59.png

Toshi_Esumi
Esteemed Contributor II

I had been wondering in what situations those checkboxes are useful. Now I got the answer. Thanks!

Toshi

sw2090
Honored Contributor

if you have identical objects in all policy packages you might want to consider moving those to the global adom. So you would have to change them only once and just assign the changes to your policy packages.

Or even think about if you do need an own policy package for each FGT. Many things can be solved using mappings in FMG.

I do it this way here for over 20 FGT in different towns. They are all connected to us with IPSec and I use the global adom for objects and profiles they all have in common and one default policy package that has per device mappings for all FGT.

Even if you do not need a policy on all FGT you could set installation targets in the policy manager so it will only be deployed to where you set up there.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams