Address FQDN support
Fortinet Device Package for Cisco ACI supports only address FQDNs and does not support VDOM global FQDNs.
Service Manager Mode: AutoPush feature interaction with zoning
If you have configured Fortinet Device Package for Cisco ACI 2.5 to use zones in conjunction with the AutoPush feature, the zone information does not appear on the FortiGate(s) until the policy is pushed to them.
VLAN trunking for FortiGate-VM dvSwitch modification
After deploying the service graph, you must modify the ACI dvSwitch VNIC mapping to the FortiGate-VM and change port group mode to trunking for traffic to forward. See Fortinet Device Package 2.4 for Cisco ACI for details.
OSPF MTU-Ignore option
When the MTU-Ignore option is enabled for OSPF configuration, Cisco ACI pushes down the MTU size of 1, which causes programming of the OSPF interface and network on the FortiGate to fail. Do not use this option.
Do not modify the predefined keywords that the FortiGate uses.
Custom addresses and services character limitations
Firewall address and service names should not include spaces or special characters.
Rule ID sequence and policy name
FortiOS processes and lists the rule with the lowest ID number first. If deploying multiple service graphs shared with the same virtual device, ensure that rule IDs and policy names are unique to avoid overriding any rules or policies.
You do not need to perform any BGP/OSPF parameter configuration except for the router ID configured in L4-L7 > Services > Router Configurations. It is recommended that you create the BGP/OSPF configuration on L3OUTS, which is the corresponding interface configuration along with all BGP/OSPF parameters to the FortiGate on APIC. During service graph deployment, the device package extracts the BGP/OSPF parameters from APIC and programs the corresponding BGP/OSPF configurations on FortiGate.
Static route sequence number
When the static route sequence number is set to 0, the default value, the device package ignores the static route programming. Otherwise, the device package programs any entry in the Static Route fields when the sequence number is greater than 0.
When device package returns faults to Cisco ACI, the fault messages appear on the Cisco ACI system level instead of the tenant level. You will see the faults in the debug.log file.
There are some occasions when faulty code is reported to Cisco ACI, but ACI does not open or take any action. The workaround is to remove the service graph and redeploy it.
Empty entries in the parameter folder
If the folder/parameter fields were previously populated but are now left empty, the device packages cannot fall back to the default values, which causes those parameters to not be updated.
For example, consider that the Show in Address List parameter is set to enable. By clicking X, this should clear all options for the Show in Address List parameter.
However, the device package cannot handle this change and shows that no option is selected instead. The workaround is to change the Value field from enable to disable.
This behavior affects all folders/parameters as of the current release.