Sometimes I take for granted how certain tasks are not well defined in official FortiManager documentation. I just recently I saw a post on Reddit entitled “FortiManager – Push multiple policy packages at the same time”. This is a common ask because many deployments have different policy packages assigned to different FortiGates managed by the same FortiManager. In all of the responses I reviewed, no one seemed to be aware of a feature in the FortiManager that allows just that. In this brief blog article, I will explain the steps to accomplish this.
Common Objects in Different Policy Packages
In the scenario where an object common to those policy packages, such as a network object or a service object is changed, all of the policy packages that reference those objects will be shown as modified.
The two policy packages referenced in the screenshot above reference a common network object called “h-srv1-dc01” as shown in the two screenshot below:
When a change is made to the “h-srv1-dc01” object (such as adding a comment), the policy packages referencing that object will show as modified.
Pushing different policy packages at one time
When using the normal “Install Wizard” to push policy packages from the FortiManager, it only lets you select one policy package to install. Here’s an example of this wizard showing this:
This can prove be a tedious and have a large administrative overhead associated with pushing out multiple policy packages because this wizard (and its subsequent steps) would need to be followed each time. A better way to deploy these policy packages would be through the use of the “Re-install Policy” functionality. To accomplish this, select the FortiGates in the FortiManager | Select “Re-Install Policy” and follow the associated prompts:
Click through the “Re-install Policy Package” prompt.
Once acknowledged, the install preview dialog will be provided where you can view the differences that will be applied to each instance of the policy packages being deployed:
Upon clicking “Next”, the process to install the policy packages will commence and the FortiManager will send the necessary commands down to the FortiGate:
And that’s it! I hope now you are aware that a tedious task is no longer tedious with the use of the “Re-install Policy” feature. As always, leave your questions or feedback below. I hope this helps!