Using FortiManager to Deploy Different Policy Packages at the same time

Sometimes I take for granted how certain tasks are not well defined in official FortiManager documentation. I just recently I saw a post on Reddit entitled “FortiManager – Push multiple policy packages at the same time”. This is a common ask because many deployments have different policy packages assigned to different FortiGates managed by the same FortiManager. In all of the responses I reviewed, no one seemed to be aware of a feature in the FortiManager that allows just that. In this brief blog article, I will explain the steps to accomplish this.

Common Objects in Different Policy Packages

In the scenario where an object common to those policy packages, such as a network object or a service object is changed, all of the policy packages that reference those objects will be shown as modified.

Figure 1. – Screenshot of FortiManager showing modified policy packages

The two policy packages referenced in the screenshot above reference a common network object called “h-srv1-dc01” as shown in the two screenshot below:

Figure 2. – Screenshot of the “fg01-dc01-policy” package referencing object “h-srv1-dc01”
Figure 3. – Screenshot of the “fg01-hq01-policy” package referencing object “h-srv1-dc01”.

When a change is made to the “h-srv1-dc01” object (such as adding a comment), the policy packages referencing that object will show as modified.

Figure 4. – Screenshot of comment being added to the “h-srv1-dc01” object
Figure 5. – Screenshot of “modified” status for “Policy Package” assigned to different FortiGates

Pushing different policy packages at one time

When using the normal “Install Wizard” to push policy packages from the FortiManager, it only lets you select one policy package to install. Here’s an example of this wizard showing this:

Figure 6. – Screenshot of the “Install Wizard”

This can prove be a tedious and have a large administrative overhead associated with pushing out multiple policy packages because this wizard (and its subsequent steps) would need to be followed each time. A better way to deploy these policy packages would be through the use of the “Re-install Policy” functionality. To accomplish this, select the FortiGates in the FortiManager | Select “Re-Install Policy” and follow the associated prompts:

Figure 7. – Screenshot of the “Re-install policy” option

Click through the “Re-install Policy Package” prompt.

Figure 8. – Screenshot of the “Re-install Policy Package” prompt

Once acknowledged, the install preview dialog will be provided where you can view the differences that will be applied to each instance of the policy packages being deployed:

Figure 9. – Screenshot of the “Re-install Policy Package” install preview dialog

Upon clicking “Next”, the process to install the policy packages will commence and the FortiManager will send the necessary commands down to the FortiGate:

Figure 10. – Screenshot of the “Re-install Policy Package” application
Figure 11 . – Screenshot of the “Re-install Policy Package” application successfully deployed

And that’s it! I hope now you are aware that a tedious task is no longer tedious with the use of the “Re-install Policy” feature. As always, leave your questions or feedback below. I hope this helps!

5 2 votes
Article Rating
Notify of
Inline Feedbacks
View all comments