Troubleshooting Tip: Install fails on delete static entries for config firewall internet-service-custom

Description

This article describes an issue caused by recent FortiGuard updates having introduced new static entries on the FortiGates that FortiManager does not recognize. During the installation, FortiManager may attempt to delete these entries, assuming they are unused.

Scope

FortiManager.

Solution

In some cases, there is a mismatch of Internet Service built-in objects between FortiManager and FortiGate.

When the FortiManager attempts to delete them, the objects are considered internal and cannot be deleted.

The installation may finish with an error like the one below:

FortiGate (internet-service~tom) delete "BuiltIn-JFrog-JFrog" Can not delete a static table entry Command fail. Return code -61 FortiGate (internet-service~tom) delete "BuiltIn-PagerDuty-PagerDuty" Can not delete a static table entry Command fail. Return code -61 FortiGate (internet-service~tom) delete "BuiltIn-Brightree-Brightree" Can not delete a static table entry Command fail. Return code -61 FortiGate (internet-service~tom) end

If this happens, create a CLI script to have entries created on the ADOM database:

config firewall internet-service-custom edit "BuiltIn-Brightree-Brightree" set comment "BuiltIn ffdb-fqdn entry" config entry edit 4 next edit 6 set addr-mode ipv6 next end next edit "BuiltIn-PagerDuty-PagerDuty" set comment "BuiltIn ffdb-fqdn entry" config entry edit 4 next edit 6 set addr-mode ipv6 next end next edit "BuiltIn-JFrog-JFrog" set comment "BuiltIn ffdb-fqdn entry" config entry edit 4 next edit 6 set addr-mode ipv6 next end next end

After running it against a policy package.

After taking these steps, retrieve the configuration from the FortiGate by navigating to Device Manager -> Managed Devices -> Select the FortiGate -> Dashboard -> Summary -> 'Configuration and Installation' widget -> Revision -> Select the menu icon -> Retrieve.

After, perform the Install.

Note: If the Install preview shows that other built-in objects have been deleted, use the provided script and just change the names to the ones that are shown to be deleted.