Technical Tip: Workaround for adding Source IP entries when 'CLI internal error' occurs in ML‑Based bot detection GUI

When attempting to add IP addresses via the GUI after the initial creation of a Source IP List, a ‘CLI internal error’ message may be observed. This behavior occurs when editing an existing policy and attempting to append additional entries through the GUI.

1. Accessing an existing ML-Based Bot Detection configuration (where the error occurs).

• Navigate to Bot Mitigation on the FortiWeb GUI. Select ML-Based Bot Detection.
• Open the relevant server policy and locate the Source IP List under the ML-Based Bot Detection model settings.
• Attempt to add a new IP address or IP range to the Source IP List.

At this point, the system can display the following error, based on the above screenshot:

'CLI internal error.'.

2. Workaround: Add Source IP entries using CLI: Source IP entries can be added successfully using the CLI by specifying the next available index number.

• Step 1. Review the current configuration:

show waf bot-detection-policy config waf bot-detection-policy   edit 1     set policy-id 6394868947953433187     set verification-method Real-Browser-Enforement     config source-ip-list       edit 1         set ip 1.1.1.1       next       edit 2         set ip 1.1.3.4       next       edit 3         set ip 1.1.5.4       next       edit 4         set ip 10.14.19.111       next       edit 6         set ip 10.14.11.14       next       edit 7         set ip 10.14.55.55       next     end     config bot-detection-exception-list     end     set model-status disable     set space-clustering disable     set clustering-normalization disable   next end

• Step 2 – Add the new IP address using the next available index.

Example 1 (Single IP):

config waf bot-detection-policy     edit 1         config source-ip-list             edit 8                 set ip 10.22.1.1             end         end     next end

Example 2 (With IP range):

config waf bot-detection-policy     edit 1         config source-ip-list             edit 9                 set ip 192.168.55.10-192.168.55.13             end         end     next end

• Step 3 – Verify the configuration.

show waf bot-detection-policy config waf bot-detection-policy   edit 1     set policy-id 6394868947953433187     set verification-method Real-Browser-Enforement     config source-ip-list       edit 1         set ip 1.1.1.1       next       edit 2         set ip 1.1.3.4       next       edit 3         set ip 1.1.5.4       next       edit 4         set ip 10.14.19.111       next       edit 6         set ip 10.14.11.14       next       edit 7         set ip 10.14.55.55       next       edit 8         set ip 10.22.1.1       next       edit 9         set ip 192.168.55.10-192.168.55.13       next     end     config bot-detection-exception-list     end     set model-status disable     set space-clustering disable     set clustering-normalization disable   next end

Key considerations.

• Use the next sequential index (e.g., 1, 2, 3, 4, 5, 6, 7, and the next should be 8, and so on from the original configuration).
• Both single IPs and ranges are supported via CLI.

Related document:

waf bot-detection-policy