Fortinet white logo
Fortinet white logo

Administration Guide

Migrating global policies to policy blocks

Migrating global policies to policy blocks

Existing global policies can be migrated to local policy blocks using the CLI to get the configuration and using FortiManager scripts to recreate the policies in a local ADOM.

In the example below, the global policy package contains 20 firewall header and footer policies. These policies are assigned to a local ADOM and installed to FortiGate devices.

To migrate global policies to a Policy Block:
  1. Get the header and footer policy configuration from the Global Database ADOM.
    1. Open the FortiManager CLI terminal and enter the following command to get the header policy configurations:

      execute fmpolicy print-adom-package Global 1 <package ID> 1474 all

    2. Copy the output from the script.

    3. Repeat these steps for the footer policy using the following command:
      execute fmpolicy print-adom-package Global 1 <package ID> 1476 all

  2. Save the policy configuration into FortiManager scripts in the local ADOM.

    1. In the local ADOM, go to Device Manager > Scripts and click Create New > Script.

    2. Paste the contents from the CLI output from the previous step into a separate header and footer script.

    3. In the pasted Script Details, change the Policy ID to 0 and change the script's first line from 'config global header policy' to 'config firewall policy' and save the changes, otherwise the local ADOM will not recognize when the script is run using global syntax and gives an error.

    4. For Run script on select Policy Package or ADOM Database.

  3. Unassign the global policy package. This removes the global configuration from the local ADOM so that you can re-create the policies as policy blocks using the configured script.

    1. In the Global Database ADOM, go to Policy & Objects > Policy Packages.

    2. Select the policy package and click Action > Unassign.

  4. Import the objects used by the Global policy package into the local ADOM.

    1. In the local ADOM, go to Device Manager > Device & Groups.

    2. Select the managed FortiGate and choose Import Configuration > Import all objects.

  5. Create the header and footer policy blocks.

    1. In the local ADOM, create two policy blocks named Top-Policy Block and Bottom-Policy Block respectively. The purpose is to append one policy block to the top of the local policy package as the header and the other at the bottom as the footer.

    2. Append Top-Policy Block to the top of the policy package and Bottom-Policy Block at the bottom.

  6. Run the script to create the local policies.

    1. Go to Device Manager > Scripts.

    2. Run the header script on Top-Policy Block.

    3. Run the footer script on Bottom-Policy Block.

  7. In the local ADOM, go to Policy & Objects > Policy Packages > Firewall Policy.
    The local policy package has the global policies added through the policy block after running the scripts.

  8. Install the policy package to the managed FortiGate devices to remove the global policy and re-create the policy with thew new local policy blocks.


    On FortiGate, the policies re-created through the Top-Policy Block and Bottom-Policy Block are shown in sequence, and the migration from the global policy package to policy blocks is complete.

Migrating global policies to policy blocks

Migrating global policies to policy blocks

Existing global policies can be migrated to local policy blocks using the CLI to get the configuration and using FortiManager scripts to recreate the policies in a local ADOM.

In the example below, the global policy package contains 20 firewall header and footer policies. These policies are assigned to a local ADOM and installed to FortiGate devices.

To migrate global policies to a Policy Block:
  1. Get the header and footer policy configuration from the Global Database ADOM.
    1. Open the FortiManager CLI terminal and enter the following command to get the header policy configurations:

      execute fmpolicy print-adom-package Global 1 <package ID> 1474 all

    2. Copy the output from the script.

    3. Repeat these steps for the footer policy using the following command:
      execute fmpolicy print-adom-package Global 1 <package ID> 1476 all

  2. Save the policy configuration into FortiManager scripts in the local ADOM.

    1. In the local ADOM, go to Device Manager > Scripts and click Create New > Script.

    2. Paste the contents from the CLI output from the previous step into a separate header and footer script.

    3. In the pasted Script Details, change the Policy ID to 0 and change the script's first line from 'config global header policy' to 'config firewall policy' and save the changes, otherwise the local ADOM will not recognize when the script is run using global syntax and gives an error.

    4. For Run script on select Policy Package or ADOM Database.

  3. Unassign the global policy package. This removes the global configuration from the local ADOM so that you can re-create the policies as policy blocks using the configured script.

    1. In the Global Database ADOM, go to Policy & Objects > Policy Packages.

    2. Select the policy package and click Action > Unassign.

  4. Import the objects used by the Global policy package into the local ADOM.

    1. In the local ADOM, go to Device Manager > Device & Groups.

    2. Select the managed FortiGate and choose Import Configuration > Import all objects.

  5. Create the header and footer policy blocks.

    1. In the local ADOM, create two policy blocks named Top-Policy Block and Bottom-Policy Block respectively. The purpose is to append one policy block to the top of the local policy package as the header and the other at the bottom as the footer.

    2. Append Top-Policy Block to the top of the policy package and Bottom-Policy Block at the bottom.

  6. Run the script to create the local policies.

    1. Go to Device Manager > Scripts.

    2. Run the header script on Top-Policy Block.

    3. Run the footer script on Bottom-Policy Block.

  7. In the local ADOM, go to Policy & Objects > Policy Packages > Firewall Policy.
    The local policy package has the global policies added through the policy block after running the scripts.

  8. Install the policy package to the managed FortiGate devices to remove the global policy and re-create the policy with thew new local policy blocks.


    On FortiGate, the policies re-created through the Top-Policy Block and Bottom-Policy Block are shown in sequence, and the migration from the global policy package to policy blocks is complete.