FortiManager per device mapping

Problem

FortiManager doesn’t install the expected changes.

e.g. you modify an Address Objects in FortiManager or replace a certificate and the changes won’t be Installed on the FortiGate.

Solution

Verify if the Object has Device Mapping enabled.

The following Symbol means that per Device mapping is active on this Object:

Verify if per device mapping is neccessary, if it isn’t and the settings are correct you may delete it or modify the Object if you click edit for this specific Device you would like to perform changes.

There might be also other reasons why a recent change might not be installed, but in 95% of the cases the reason is an active per Device Mapping.

Further Details

If you use FortiManager to manage your FortiGate Policy Packages, then DO NOT modify settings directly on the FortiGate and import the changes into the FortiManager’s existing policy package.

This will result in problems with “per Device Mapping”, because during an import Objects that had been modified on the FortiGate directly will be configured as per device mapping.

Instead use the following best practice: If you manage your FortiGates through FortiManager do not change settings directly on the FortiGate use FortiManager to change something and then install the changes.

Here’s an example how to differentiate between per device mapping active and not active

Virtual IP per device mapping Example

Per device mapping is highlighted in blue:

If you open the VIP you may see the difference.

Inside the VIP, with per device mapping enabled, the changes which are done directly in the VIP won’t be changed, unless you modify the settings for the Object directly on the Mapped device, by selecting the Managed device – click edit.

You may also remove the per device mapping.

–> ATTENTION: before you delete a per device mapping, verify that the settings are correct.