117 ADOMs ~ 326 policy packages. BTW Fortinet didn't recommend configuration retrieval or any database import in 6.2.x. Reason being the database cannot properly handle certain UIDs. This means you have to give your best to configure everything over FMG (use CLI-only objects if you have to), but avoid any imports whatsoever. Any thoughts on this?
Very nice. I assume you are a managed service provider? I understand why Fortinet recommends that as a best practice. Starting fresh and creating new from the Manager is definitely the best approach. I have never ran into the UID issue though so I can't speak specifically to that reasoning. So perhaps there are use cases where that is more prevalent. I find that organizations are usually low on time (either through mismanagement of time, procedure, or other circumstances). Usually, they are just trying to get devices into the Manager as quickly as possible so they can then control solely from that single point. That gives them the consolidation of control and they can then work on the new proper policy they wish to move to in the long term as time allows. I can say in the situations I have been in, that I have had great success with both methods. Prefer starting fresh to keep everything as clean as possible but certainly have my fair share of import and go type situations!
Now you're talking!!! This is quickly becoming a regular tasks I am having to perform. This helps tremendously!! Importing, exporting from both FortiGate and FortiManager and vice versa. Next question comes in how to identify dynamic objects so when importing a config to a spoke we don't break those on the spoke node? Great video! Thanks!!
When importing policy, FMG will automatically creates per device mapping for dynamic objects like interface, address group if they already exist on FMG. However, for security policy profiles you will have to select whether to use the one on FGT or FMG if they have the same profile name but different config like Mike shows at 4:35 of this tutorial. I would not recommend automatically import as it will overwrites security policies on FMG which might have been used by policy package for other FGT device.
Hey. Maybe not directly relevant to the video per se. But my import fails because of interface binding erros for some firewall objects. I need to import quite a few fortigates. Some have 4 vdoms who all have objects with the same names and values but a different interface bindings in each vdom. I am thinking about just using a script to run "unset associated-interface" on all objects with a binding conflict. Since this is something u cannot do in the GUI I feel like I might break stuff by doing this. Is there a reason this is not allowed in the GUI ? Or is this some sort of safety net ? Just discovered your channel and already added quite a few videos to the watch later playlist. Thanks for the videos.
Can you make a video for the FortiSwitch managed by Fortimanager? and if the FortiSwitch is managed by Fortigate; do I have to break this link to manage it by fortimanager?
Do you run a FortiManager? How many different policy packages do you have in yours?!?
117 ADOMs ~ 326 policy packages. BTW Fortinet didn't recommend configuration retrieval or any database import in 6.2.x. Reason being the database cannot properly handle certain UIDs. This means you have to give your best to configure everything over FMG (use CLI-only objects if you have to), but avoid any imports whatsoever. Any thoughts on this?
Very nice. I assume you are a managed service provider?
I understand why Fortinet recommends that as a best practice. Starting fresh and creating new from the Manager is definitely the best approach. I have never ran into the UID issue though so I can't speak specifically to that reasoning. So perhaps there are use cases where that is more prevalent.
I find that organizations are usually low on time (either through mismanagement of time, procedure, or other circumstances). Usually, they are just trying to get devices into the Manager as quickly as possible so they can then control solely from that single point. That gives them the consolidation of control and they can then work on the new proper policy they wish to move to in the long term as time allows. I can say in the situations I have been in, that I have had great success with both methods. Prefer starting fresh to keep everything as clean as possible but certainly have my fair share of import and go type situations!
Now you're talking!!!
This is quickly becoming a regular tasks I am having to perform.
This helps tremendously!!
Importing, exporting from both FortiGate and FortiManager and vice versa.
Next question comes in how to identify dynamic objects so when importing a config to a spoke we don't break those on the spoke node?
Great video!
Thanks!!
Thanks Michael. Our videos will get pretty in-depth on this. So I'll try to cover all the bases :)
When importing policy, FMG will automatically creates per device mapping for dynamic objects like interface, address group if they already exist on FMG. However, for security policy profiles you will have to select whether to use the one on FGT or FMG if they have the same profile name but different config like Mike shows at 4:35 of this tutorial. I would not recommend automatically import as it will overwrites security policies on FMG which might have been used by policy package for other FGT device.
Can you do a video on running scripts from FM and the gotchas to look out for? and one on security profiles from FM? Thanks
kindly make tutorial on Import Profiles from FortiGate in EMS
Hey. Maybe not directly relevant to the video per se. But my import fails because of interface binding erros for some firewall objects. I need to import quite a few fortigates. Some have 4 vdoms who all have objects with the same names and values but a different interface bindings in each vdom. I am thinking about just using a script to run "unset associated-interface" on all objects with a binding conflict. Since this is something u cannot do in the GUI I feel like I might break stuff by doing this. Is there a reason this is not allowed in the GUI ? Or is this some sort of safety net ? Just discovered your channel and already added quite a few videos to the watch later playlist. Thanks for the videos.
I would certainly test it out. I have to look into it and see about work arounds.
@@FortinetGuru I tried it on the smallest fortigate. It worked. However I got kicked out of everything. I think it had to reset every session.
Can you make a video for the FortiSwitch managed by Fortimanager?
and if the FortiSwitch is managed by Fortigate; do I have to break this link to manage it by fortimanager?