Sequence of operations for installation to managed devices
When FortiManager installs changes to managed devices, for example installing Policy Packages and CLI templates to a FortiGate, it follows a sequence where the configuration is first copied to the device's Device Database on FortiManager before actual installation to the target device.
This section includes the following:
- FortiManager databases used during installation
- Sequence for installing changes to managed devices
- Execution sequence for real devices
- Execution sequence for model devices
- Installation example
FortiManager databases used during installation
The FortiManager has two databases that are used in the process of installing configuration changes to target devices.
-
ADOM Database: The FortiManager's ADOM Database includes all ADOM objects including policy objects, provisioning templates, AP Profiles, FortiSwitch templates, and FortiExtender templates.
-
Device (FortiGate) Database: The FortiManager's Device (FortiGate) Database has complete configuration files for each FortiGate that is managed by the FortiManager.
The diagram below demonstrates the relationship between the ADOM Database, Device Database and target device (real FortiGate) when installing changes.
Sequence for installing changes to managed devices
The process of installing the changes to the target FortiGate is as follows:
- FortiManager copies the ADOM objects (including policy objects, Provisioning Templates, etc.) related to the configuration change from the ADOM Database to the Device Database for the target FortiGate.
- As an example, each command line in a CLI template is applied to the configuration file stored in the Device Database for the target FortiGate.
- At this point, the configuration file in the Device Database is an updated and completely new version.
- See Execution sequence for real devices and Execution sequence for model devices for the exact sequence of operations.
- FortiManager retrieves the current configuration file from the real FortiGate device and compares it to the newly updated configuration file in the Device Database to determine the difference (diff) between the old and new configuration. FortiManager installs the changes identified in the diff to the target device.
The diff between the old and new configuration is installed to the target FortiGate, but not the original content.
Because of this behavior, some object details (for example, some command lines in a CLI template) are not directly pushed to the target FortiGate. Instead, FortiManager is responsible to make sure that the changes identified in the diff are correctly updated on the real FortiGate.
Execution sequence for real devices
The templates, packages, and profiles are applied to the Device Database from the ADOM Database in the following order:
- System template.
- Threat weight template.
- IPsec tunnel template.
- Static route template.
- BGP template.
- NSX-T service template.
- SD-WAN template.
- AP Profile
- FortiSwitch template.
- FortiExtender template.
- Policy Package.
- Post-run CLI template.
When installing the changes to a real FortiGate:
- FortiManager compares the Device Database of the target FortiGate with the configuration retrieved from the real FortiGate device.
- FortiManager generates a diff of the configuration.
- FortiManager installs the difference on the real FortiGate.
Execution sequence for model devices
Pre-Run CLI/Jinja templates run once on a model device to preconfigure them with required settings, for example to add interfaces to a FortiGate-VM. Pre-run CLI/Jinja templates are exclusively available to model devices, and can only be assigned to model devices.
Similar to other Provisioning Templates, the pre-run CLI/Jinja template is only applied to the Device Database on the FortiManager side, not to the target FortiGate. Once the pre-run CLI/Jinja template has been applied to the Device Database of a model device, it is automatically unassigned from that model device.
The templates, packages, and profiles are applied to the Device Database from the ADOM Database in the following order:
- Pre-run CLI template (Only available on model devices. Pre-run CLI/Jinja templates are always applied to the Device Database before any other Provisioning Template or Policy Packages.).
- System template.
- Threat weight template.
- IPsec tunnel template.
- Static route template.
- BGP template.
- NSX-T service template.
- SD-WAN template.
- AP Profile
- FortiSwitch template.
- FortiExtender template.
- Policy Package.
- Post-run CLI template.
With zero touch provisioning, you only need to assign Provisioning Templates and Policy Packages to model devices and are not required to perform any of the installation actions (see the note below for best practices and exceptions). Once the real device comes online, FortiManager copies everything to the Device Database and then installs it on the real device as part of the auto-link process.
|
Installation example
The following example demonstrates that during installation to a real FortiGate device, FortiManager does not push the content of a CLI template to the FortiGate line-by-line. Instead FortiManager identifies the difference between the Device Database and the FortiGate's current configuration, and is responsible for installing the necessary changes.
- On the FortiManager, a CLI template is assigned to a FortiGate-60E.
The CLI template contains the following commands:config firewall policy
delete 1
end
config firewall policy
edit "1"
set action accept
set srcintf "internal1"
set dstintf "internal1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
- The real FortiGate-60E is currently configured with Policy ID 1 as shown below:
config firewall policy
edit 1
set uuid bddc84d8-a64f-51ed-405b-90156f074f85
set srcintf "any"
set dstintf "any"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
- To install the updated Policy Package to the FortiGate-60E, FortiManager first copies all of the CLI template's content from the FortiManager's ADOM Database to the Device Database for the FortiGate-60E.
config firewall policy
delete 1
end
config firewall policy
edit "1"
set action accept
set srcintf "internal1"
set dstintf "internal1"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
- After the copy process is finished, the FortiGate-60E's device configuration status on FortiManager is shown as Modified.
- FortiManager compares the modified FortiGate-60E's Device Database with the real FortiGate-60E's configuration, and generates a diff of the configuration. The changes identified in the diff are pushed to the real FortiGate-60E.
In this example, the installation log below shows that only Policy ID 1's UUID, source interface, and destination interface settings are installed on the real FortiGate-60E as those are the differences identified.Starting log (Run on device)
Start installing
FGT60ETK19025756 $ config firewall policy
FGT60ETK19025756 (policy) $ edit 1
FGT60ETK19025756 (1) $ set uuid 2fa87c82-a765-51ed-e337-052557345417
FGT60ETK19025756 (1) $ set srcintf "internal1"
FGT60ETK19025756 (1) $ set dstintf "internal1"
FGT60ETK19025756 (1) $ next
FGT60ETK19025756 (policy) $ end
---> generating verification report
<--- done generating verification report
install finished