Troubleshooting Tip: Nested address groups excluded from policy search in FortiOS 7.4.8
| Description | This article describes a change in FortiOS 7.4.8 where nested address groups are intentionally excluded from the global policy search. |
| Scope | FortiGate. |
| Solution | This design change was introduced to optimize performance and responsiveness in the FortiGate GUI when loading and filtering large policy or address lists. In FortiOS 7.4.8, the global policy search mechanism does not recursively expand address groups contained inside other address groups. As a result, when attempting to identify policy matches via nested group membership, the search results will include only top‑level address groups, not the nested address groups contained within them.
Examples: Assume there is an address group object 'addGrp1' nested in 'addGrp2', and 'addGrp1' has an address object '192.168.0.1' as a group member.
When performing a policy search with '192.168.0.1', the GUI shows the policy containing the address object nested in the address group.
After upgrading to 7.4.8 or later, however, when performing a policy search with '192.168.0.1', the GUI shows nothing for the policy containing the address object nested in the address group.
|
