Fortinet white logo
Fortinet white logo

Administration Guide

Sequence of operations for installation to managed devices

Sequence of operations for installation to managed devices

When FortiManager installs changes to managed devices, for example installing Policy Packages and CLI templates to a FortiGate, it follows a sequence where the configuration is first copied to the device's Device Database on FortiManager before actual installation to the target device.

This section includes the following:

FortiManager databases used during installation

The FortiManager has two databases that are used in the process of installing configuration changes to target devices.

  • ADOM Database: The FortiManager's ADOM Database includes all ADOM objects including policy objects, provisioning templates, AP Profiles, FortiSwitch templates, and FortiExtender templates.

  • Device (FortiGate) Database: The FortiManager's Device (FortiGate) Database has complete configuration files for each FortiGate that is managed by the FortiManager.

The diagram below demonstrates the relationship between the ADOM Database, Device Database and target device (real FortiGate) when installing changes.

Sequence for installing changes to managed devices

The process of installing the changes to the target FortiGate is as follows:

  1. FortiManager copies the ADOM objects (including policy objects, Provisioning Templates, etc.) related to the configuration change from the ADOM Database to the Device Database for the target FortiGate.
    • As an example, each command line in a CLI template is applied to the configuration file stored in the Device Database for the target FortiGate.
    • At this point, the configuration file in the Device Database is an updated and completely new version.
    • See Execution sequence for real devices and Execution sequence for model devices for the exact sequence of operations.
  2. FortiManager retrieves the current configuration file from the real FortiGate device and compares it to the newly updated configuration file in the Device Database to determine the difference (diff) between the old and new configuration. FortiManager installs the changes identified in the diff to the target device.
    Note

    The diff between the old and new configuration is installed to the target FortiGate, but not the original content.
    Because of this behavior, some object details (for example, some command lines in a CLI template) are not directly pushed to the target FortiGate. Instead, FortiManager is responsible to make sure that the changes identified in the diff are correctly updated on the real FortiGate.

Execution sequence for real devices

The templates, packages, and profiles are applied to the Device Database from the ADOM Database in the following order:

  1. System template.
  2. Threat weight template.
  3. IPsec tunnel template.
  4. Static route template.
  5. BGP template.
  6. NSX-T service template.
  7. SD-WAN template.
  8. AP Profile
  9. FortiSwitch template.
  10. FortiExtender template.
  11. Policy Package.
  12. Post-run CLI template.

When installing the changes to a real FortiGate:

  • FortiManager compares the Device Database of the target FortiGate with the configuration retrieved from the real FortiGate device.
  • FortiManager generates a diff of the configuration.
  • FortiManager installs the difference on the real FortiGate.
Execution sequence for model devices

Pre-Run CLI/Jinja templates run once on a model device to preconfigure them with required settings, for example to add interfaces to a FortiGate-VM. Pre-run CLI/Jinja templates are exclusively available to model devices, and can only be assigned to model devices.

Similar to other Provisioning Templates, the pre-run CLI/Jinja template is only applied to the Device Database on the FortiManager side, not to the target FortiGate. Once the pre-run CLI/Jinja template has been applied to the Device Database of a model device, it is automatically unassigned from that model device.

The templates, packages, and profiles are applied to the Device Database from the ADOM Database in the following order:

  1. Pre-run CLI template (Only available on model devices. Pre-run CLI/Jinja templates are always applied to the Device Database before any other Provisioning Template or Policy Packages.).
  2. System template.
  3. Threat weight template.
  4. IPsec tunnel template.
  5. Static route template.
  6. BGP template.
  7. NSX-T service template.
  8. SD-WAN template.
  9. AP Profile
  10. FortiSwitch template.
  11. FortiExtender template.
  12. Policy Package.
  13. Post-run CLI template.

With zero touch provisioning, you only need to assign Provisioning Templates and Policy Packages to model devices and are not required to perform any of the installation actions (see the note below for best practices and exceptions). Once the real device comes online, FortiManager copies everything to the Device Database and then installs it on the real device as part of the auto-link process.

Caution
  • When a model device has a Policy Package assigned, it is recommended as a best practice that you perform the Policy Package installation before bringing the real device online so that you can catch potential configuration errors before auto-link occurs.

  • When a model device is part of a device group, and the device group itself is the installation target of a Policy Package, the policy will not be installed automatically during the auto-link process. You must perform a Policy Package install before bringing the real device online.

Installation example

The following example demonstrates that during installation to a real FortiGate device, FortiManager does not push the content of a CLI template to the FortiGate line-by-line. Instead FortiManager identifies the difference between the Device Database and the FortiGate's current configuration, and is responsible for installing the necessary changes.

  1. On the FortiManager, a CLI template is assigned to a FortiGate-60E.
    The CLI template contains the following commands:

    config firewall policy

    delete 1

    end

    config firewall policy

    edit "1"

    set action accept

    set srcintf "internal1"

    set dstintf "internal1"

    set srcaddr "all"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set logtraffic all

    next

    end

  2. The real FortiGate-60E is currently configured with Policy ID 1 as shown below:

    config firewall policy

    edit 1

    set uuid bddc84d8-a64f-51ed-405b-90156f074f85

    set srcintf "any"

    set dstintf "any"

    set action accept

    set srcaddr "all"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set logtraffic all

    next

    end

  3. To install the updated Policy Package to the FortiGate-60E, FortiManager first copies all of the CLI template's content from the FortiManager's ADOM Database to the Device Database for the FortiGate-60E.

    config firewall policy

    delete 1

    end

    config firewall policy

    edit "1"

    set action accept

    set srcintf "internal1"

    set dstintf "internal1"

    set srcaddr "all"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set logtraffic all

    next

    end

  4. After the copy process is finished, the FortiGate-60E's device configuration status on FortiManager is shown as Modified.
  5. FortiManager compares the modified FortiGate-60E's Device Database with the real FortiGate-60E's configuration, and generates a diff of the configuration. The changes identified in the diff are pushed to the real FortiGate-60E.
    In this example, the installation log below shows that only Policy ID 1's UUID, source interface, and destination interface settings are installed on the real FortiGate-60E as those are the differences identified.

    Starting log (Run on device)

    Start installing

    FGT60ETK19025756 $ config firewall policy

    FGT60ETK19025756 (policy) $ edit 1

    FGT60ETK19025756 (1) $ set uuid 2fa87c82-a765-51ed-e337-052557345417

    FGT60ETK19025756 (1) $ set srcintf "internal1"

    FGT60ETK19025756 (1) $ set dstintf "internal1"

    FGT60ETK19025756 (1) $ next

    FGT60ETK19025756 (policy) $ end

    ---> generating verification report

    <--- done generating verification report

    install finished

Sequence of operations for installation to managed devices

Sequence of operations for installation to managed devices

When FortiManager installs changes to managed devices, for example installing Policy Packages and CLI templates to a FortiGate, it follows a sequence where the configuration is first copied to the device's Device Database on FortiManager before actual installation to the target device.

This section includes the following:

FortiManager databases used during installation

The FortiManager has two databases that are used in the process of installing configuration changes to target devices.

  • ADOM Database: The FortiManager's ADOM Database includes all ADOM objects including policy objects, provisioning templates, AP Profiles, FortiSwitch templates, and FortiExtender templates.

  • Device (FortiGate) Database: The FortiManager's Device (FortiGate) Database has complete configuration files for each FortiGate that is managed by the FortiManager.

The diagram below demonstrates the relationship between the ADOM Database, Device Database and target device (real FortiGate) when installing changes.

Sequence for installing changes to managed devices

The process of installing the changes to the target FortiGate is as follows:

  1. FortiManager copies the ADOM objects (including policy objects, Provisioning Templates, etc.) related to the configuration change from the ADOM Database to the Device Database for the target FortiGate.
    • As an example, each command line in a CLI template is applied to the configuration file stored in the Device Database for the target FortiGate.
    • At this point, the configuration file in the Device Database is an updated and completely new version.
    • See Execution sequence for real devices and Execution sequence for model devices for the exact sequence of operations.
  2. FortiManager retrieves the current configuration file from the real FortiGate device and compares it to the newly updated configuration file in the Device Database to determine the difference (diff) between the old and new configuration. FortiManager installs the changes identified in the diff to the target device.
    Note

    The diff between the old and new configuration is installed to the target FortiGate, but not the original content.
    Because of this behavior, some object details (for example, some command lines in a CLI template) are not directly pushed to the target FortiGate. Instead, FortiManager is responsible to make sure that the changes identified in the diff are correctly updated on the real FortiGate.

Execution sequence for real devices

The templates, packages, and profiles are applied to the Device Database from the ADOM Database in the following order:

  1. System template.
  2. Threat weight template.
  3. IPsec tunnel template.
  4. Static route template.
  5. BGP template.
  6. NSX-T service template.
  7. SD-WAN template.
  8. AP Profile
  9. FortiSwitch template.
  10. FortiExtender template.
  11. Policy Package.
  12. Post-run CLI template.

When installing the changes to a real FortiGate:

  • FortiManager compares the Device Database of the target FortiGate with the configuration retrieved from the real FortiGate device.
  • FortiManager generates a diff of the configuration.
  • FortiManager installs the difference on the real FortiGate.
Execution sequence for model devices

Pre-Run CLI/Jinja templates run once on a model device to preconfigure them with required settings, for example to add interfaces to a FortiGate-VM. Pre-run CLI/Jinja templates are exclusively available to model devices, and can only be assigned to model devices.

Similar to other Provisioning Templates, the pre-run CLI/Jinja template is only applied to the Device Database on the FortiManager side, not to the target FortiGate. Once the pre-run CLI/Jinja template has been applied to the Device Database of a model device, it is automatically unassigned from that model device.

The templates, packages, and profiles are applied to the Device Database from the ADOM Database in the following order:

  1. Pre-run CLI template (Only available on model devices. Pre-run CLI/Jinja templates are always applied to the Device Database before any other Provisioning Template or Policy Packages.).
  2. System template.
  3. Threat weight template.
  4. IPsec tunnel template.
  5. Static route template.
  6. BGP template.
  7. NSX-T service template.
  8. SD-WAN template.
  9. AP Profile
  10. FortiSwitch template.
  11. FortiExtender template.
  12. Policy Package.
  13. Post-run CLI template.

With zero touch provisioning, you only need to assign Provisioning Templates and Policy Packages to model devices and are not required to perform any of the installation actions (see the note below for best practices and exceptions). Once the real device comes online, FortiManager copies everything to the Device Database and then installs it on the real device as part of the auto-link process.

Caution
  • When a model device has a Policy Package assigned, it is recommended as a best practice that you perform the Policy Package installation before bringing the real device online so that you can catch potential configuration errors before auto-link occurs.

  • When a model device is part of a device group, and the device group itself is the installation target of a Policy Package, the policy will not be installed automatically during the auto-link process. You must perform a Policy Package install before bringing the real device online.

Installation example

The following example demonstrates that during installation to a real FortiGate device, FortiManager does not push the content of a CLI template to the FortiGate line-by-line. Instead FortiManager identifies the difference between the Device Database and the FortiGate's current configuration, and is responsible for installing the necessary changes.

  1. On the FortiManager, a CLI template is assigned to a FortiGate-60E.
    The CLI template contains the following commands:

    config firewall policy

    delete 1

    end

    config firewall policy

    edit "1"

    set action accept

    set srcintf "internal1"

    set dstintf "internal1"

    set srcaddr "all"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set logtraffic all

    next

    end

  2. The real FortiGate-60E is currently configured with Policy ID 1 as shown below:

    config firewall policy

    edit 1

    set uuid bddc84d8-a64f-51ed-405b-90156f074f85

    set srcintf "any"

    set dstintf "any"

    set action accept

    set srcaddr "all"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set logtraffic all

    next

    end

  3. To install the updated Policy Package to the FortiGate-60E, FortiManager first copies all of the CLI template's content from the FortiManager's ADOM Database to the Device Database for the FortiGate-60E.

    config firewall policy

    delete 1

    end

    config firewall policy

    edit "1"

    set action accept

    set srcintf "internal1"

    set dstintf "internal1"

    set srcaddr "all"

    set dstaddr "all"

    set schedule "always"

    set service "ALL"

    set logtraffic all

    next

    end

  4. After the copy process is finished, the FortiGate-60E's device configuration status on FortiManager is shown as Modified.
  5. FortiManager compares the modified FortiGate-60E's Device Database with the real FortiGate-60E's configuration, and generates a diff of the configuration. The changes identified in the diff are pushed to the real FortiGate-60E.
    In this example, the installation log below shows that only Policy ID 1's UUID, source interface, and destination interface settings are installed on the real FortiGate-60E as those are the differences identified.

    Starting log (Run on device)

    Start installing

    FGT60ETK19025756 $ config firewall policy

    FGT60ETK19025756 (policy) $ edit 1

    FGT60ETK19025756 (1) $ set uuid 2fa87c82-a765-51ed-e337-052557345417

    FGT60ETK19025756 (1) $ set srcintf "internal1"

    FGT60ETK19025756 (1) $ set dstintf "internal1"

    FGT60ETK19025756 (1) $ next

    FGT60ETK19025756 (policy) $ end

    ---> generating verification report

    <--- done generating verification report

    install finished