We utilize FortiManager’s Provision CLI Templates to establish common configurations on our Firewalls
This approach is practical to ensure that these settings are consistently applied during every firewall installation.
However, we encounter from time to time the issue with FortiManager, that the CLI Templates lack awareness of the Firewall’s specific versions.
Unfortunately, the FortiGate CLI strictly adheres to its own command syntax and does not offer backward compatibility.
For instance, when we execute the following command:
FW# config log setting
FW (setting) # set neighbor-event enableThis works well with FortiOS version 6.4.12. However, when we upgrade to FortiOS version 6.4.14, the command fails with the following error:
command parse error before 'log-policy-name'
Command fail. Return code -61In my view, it’s essential to differentiate between deprecated and obsolete commands. I would prefer a more informative approach to backward compatibility within the parser.
This issue is not just an inconvenience; it will lead to installation failures, and the error messages provided are not as informative as we’d like.
We’ve also encountered problems with copying device global objects and post vdom operations:
- ‘Post vdom’ operation has failed with an error code: 0 – ‘invalid value.’
- When copying objects for the vdom ‘FW,’ we’ve faced challenges.”
I appreciate the approach IBM has taken with their Mainframes, and it could potentially benefit other systems too. In the context of supporting public-facing interfaces, be it API, ABI, or CLI, they are willing to accept deprecated syntax for an extended period. Instead of causing immediate errors, they issue warnings and, in the background, transition to using the new calls or silently rewrite the produced output.
Photo by Kayle Kaupanger on Unsplash
Patrick Marc's Networks 