Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zoriax
Contributor

FortiManager delete FortiGate local users

Hello everyone !

 

I need your help today. I have a FortiGate managed by FortiManager.

I added some user in my FortiGate (User & Authentication > User Definition), I retrieved the configuration in my FortiManager. Now all is correct. But, if I push a policy package or update it, all my local users are deleted ! Why and how can I prevent this behaviour ? 

 

Thanks

2 Solutions
sw2090
Honored Contributor

afair retrieve config only works for device config. There is no way to retrieve the Policy package. You will have to add you users in FMG and deploy them to the FGT.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Toshi_Esumi
Esteemed Contributor III

The exact mechanism is like below:

- Unless you changed the default behavior of FMG not to retrieve config changes made directly on the FGT devices, the new local users you configured on the device are "auto-retrieve"d by FMG and it created a new revision of device config in device DB.

- When you manually retrieved, it must have created another revision (you can check them in the revision history).

- at that time, you must have seen the policy package that includes local user config as one of objects in the package went out of sync. Because that doesn't match with the retrieved device config.

- when you re-applied the existing policy package, the existing (in the package) policies+user groups(including those local users) obviously don't include your new user(s) therefore they were removed in the device DB then at the device.

 

To prevent that, or what you should be always doing is, whenever you push either device config or a policy package or etc. from FMG, you should check "Install Preview" to see what would  actually change with the push. At that time you should be able to realize your new users or other config would be removed if you hit the "Next" button, then back off.

 

After backing off, you have to configure the objects(local users) in the policy package to match what you configured on the device. Then check Install Preview again and adjust further until you're satisfied and finally push the NEW policy package.

 

After all of this, you've now learned you shouldn't have added users at the device but should have added them at Policy&Objects on the FMG side because it's a part of your policy package.

 

Toshi

View solution in original post

3 REPLIES 3
sw2090
Honored Contributor

afair retrieve config only works for device config. There is no way to retrieve the Policy package. You will have to add you users in FMG and deploy them to the FGT.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Toshi_Esumi
Esteemed Contributor III

The exact mechanism is like below:

- Unless you changed the default behavior of FMG not to retrieve config changes made directly on the FGT devices, the new local users you configured on the device are "auto-retrieve"d by FMG and it created a new revision of device config in device DB.

- When you manually retrieved, it must have created another revision (you can check them in the revision history).

- at that time, you must have seen the policy package that includes local user config as one of objects in the package went out of sync. Because that doesn't match with the retrieved device config.

- when you re-applied the existing policy package, the existing (in the package) policies+user groups(including those local users) obviously don't include your new user(s) therefore they were removed in the device DB then at the device.

 

To prevent that, or what you should be always doing is, whenever you push either device config or a policy package or etc. from FMG, you should check "Install Preview" to see what would  actually change with the push. At that time you should be able to realize your new users or other config would be removed if you hit the "Next" button, then back off.

 

After backing off, you have to configure the objects(local users) in the policy package to match what you configured on the device. Then check Install Preview again and adjust further until you're satisfied and finally push the NEW policy package.

 

After all of this, you've now learned you shouldn't have added users at the device but should have added them at Policy&Objects on the FMG side because it's a part of your policy package.

 

Toshi

zoriax
Contributor

Hi ! 

 

Many thanks for the explainations :) ! It's what I suspected :)

Labels
Top Kudoed Authors