Technical Tip: Security profile groups no longer available after an upgrade to v7.4.9
| Description | This article explains the scenario where the security profile groups are not available to be selected on firewall policies. |
| Scope | FortiGate, Security Profiles. |
| Solution | The firewall policy on the FortiGate will look like this:
config firewall policy
The configuration of the profile-group will be as follows:
config firewall profile-group
When trying to add a security group to a new firewall policy, there will be an error seen, as shown below:
FortiGate (7)# set profile-group TEST-Flow entry not found in datasource
value parse error before 'TEST-Flow'
The security profile group will still be visible on the existing firewall policies, but it will not be possible to add it to a new firewall policy.
Even trying to change the profile group to an existing policy or creating a new security profile group will not allow for the request to be accomplished.
However, if removing the WAF profile from the profile-group, the group will now be available to be selected again.
The reason for this behavior is that firewall policies with inspection-mode as flow (the default one) do not support WAF, ICAP, or SSH-filter features.
If this issue is seen, it is recommended to unset the waf-profile, icap-profile and ssh-filter-profile in the profile-group first before adding it to the firewall policy.
This behavior is not seen when the firewall policy is set to proxy inspection-mode, as per lab testing.
The issue is fixed in version 7.6.0. |