Technical Tip: FortiManager SSL/SSH Inspection Profile Installation Failure: 'unset ports' error (return code -651)

Create a custom SSL/SSH Inspection profile based on the built-in 'no-inspection' profile or clone the built-in 'no-inspection' profile and then modify the HTTPS protocol by enabling it under Protocol Port Mapping.

FortiManager will push the following configuration to the FortiGate:

config firewall ssl-ssh-profile     edit "Clone of no-inspection"         config https             set ports 443             set status deep-inspection         end     next end

When subsequently disabling the HTTPS protocol for that profile in the FortiManager GUI, FortiManager generates and tries to push the following configuration preview during the next policy installation:

=== Preview Result === config vdom     edit TEST         config firewall ssl-ssh-profile             edit "Clone of no-inspection"                 config https                     unset ports                     set status disable                 end             next         end     end end

Running the 'Installation Wizard' will generate the following error:

FGT config vdom FGT (vdom) edit TEST current vf=TEST:1 FGT (TEST) config firewall ssl-ssh-profile FGT (ssl-ssh-profile) edit "Clone of no-inspection" FGT (Clone of no-insp~ion) config https FGT (https) unset ports FGT (https) set status disable FGT (https) end Must set at least one port or enable ssl inspect-all. object check operator error, -651, discard the setting Command fail. Return code -651 FGT (Clone of no-insp~ion) next FGT (ssl-ssh-profile) end FGT (TEST) end 

Root cause:

The root cause is the 'unset ports' command generated by FortiManager.

FortiGate’s CLI requires that at least one port be defined or that 'ssl inspect-all' is enabled before the HTTPS status can be set to 'disable'.

Removing the port assignment while the HTTPS sub-object is still active violates this constraint and causes the installation to fail with 'Return Code –651'.

Workaround:

Option 1: Clone the built-in 'no-inspection' profile.

Clone the existing built-in 'no-inspection' profile from FortiManager and assign the clone to the affected Firewall Policies in place of the problematic profile. This avoids the issue entirely and has been confirmed to work.

1. FortiManager GUI, navigate to Policy & Objects -> Object Configuration -> Security Profiles -> SSL/SSH Inspection.
2. 'Right-click' the built-in 'no-inspection' profile and select 'Clone'.
3. Assign the new cloned profile to the affected Firewall Policies.
4. Run the 'Installation Wizard', and the installation will complete successfully.

Option 2: Run a CLI script remotely via FortiManager.

Run a CLI script from FortiManager targeting the affected FortiGate. The script directly sets the HTTPS status to 'disable' within the profile, bypassing the 'unset ports' command entirely:

config vdom     edit TEST         config firewall ssl-ssh-profile             edit "no-ssl-inspection"                 config https                     set status disable                 end             next         end     end end 

After running the script on the FortiGate, launch the 'Installation Wizard' from FortiManager.

It will detect that no configuration delta remains, show 'Nothing to install', and mark the FortiGate as synchronized.

Note: This is a bug, and a permanent fix is planned for the next release of FortiOS v7.4, v7.6, and v8.0. Until the fix is released, use one of the workarounds above.