Skip to Content

How to find and merge/delete duplicate objects on FortiGate

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes a number of methods that administrators can use to identify and remove duplicate and/or redundant Firewall objects on the FortiGate. This coincides with Fortinet Security Best Practice (FSBP) FSBP PO01.8, which recommends that admins ‘check for similarly named objects with identical configurations’ and subsequently remove the duplicates.

Scope

FortiGate.

Solution

Generally speaking, it is the best practice to periodically reduce the number of redundant/duplicate objects present in the FortiGate configuration. This helps to reduce administrative ‘clutter’ and make it easier to identify what objects are actually in-use.

With that in mind, the following are some tips that admins can use to ease the process of removing redundant/duplicate Firewall objects. These tactics are listed in increasing order of effectiveness/risk (i.e. starting at individual object resolution and progressing to bulk deletions):

Use the Security Rating Issues button located in the bottom-left corner of the web GUI to list the Duplicate Firewall Objects identified by Security Rating (requires a FortiGuard Attack Surface Security Service license on the FortiGate).

  • The Security Rating function on the FortiGate can assist an administrator by pointing out Duplicate Firewall Objects that might need attention. This can be useful for identifying both in-use and non-used duplicate objects.

The Security Rating function on the FortiGate can assist an administrator by pointing out Duplicate Firewall Objects that might need attention. This can be useful for identifying both in-use and non-used duplicate objects.

Filter the Ref. (References) column for object entries with 0 references (FortiOS 7.2 and older).

  • This makes it possible to filter for objects that are not referenced in the FortiGate configuration. Those objects are likely redundant and candidates for removal, given that they are not being actively used.
  • FortiOS 7.4 and later removed the ability to filter by the Ref. column.

If the FortiGate is managed by FortiManager, it is possible to instead manage Duplicate objects from FortiManager itself: Find and merge duplicate objects – FortiManager administration guide.

  • Unused objects can be handled in a similar manner on FortiManager directly: Find unused objects – FortiManager administration guide.

In the CLI, it is possible to run the purge command within a given object table/section to remove all non-referenced objects in one command.

  • NOTE: this command removes ALL objects within the specified config table (e.g. config firewall address, config firewall vip, etc.) except for those that are not referenced/used elsewhere in the config, as well as a small subset of objects that are considered special ‘static objects’ (such as FIREWALL_AUTH_PORTAL_ADDRESS and FABRIC_DEVICE). EMS tag dynamic address objects are also not removed by this command.
  • Exercise extreme caution when running this command, and ensure that a configuration backup is taken prior to running this command.
  • To run this command, enter the CLI and navigate to any config section under config firewall […]. Verify whether the purge command is available by entering a question mark (?) character:
config firewall address
# <question mark character>
edit Add/edit a table value.
delete Delete a table value.
purge Clear all table values.
rename Rename a table entry.
get Get dynamic and system information.
show Show configuration.
end End and save last config.