Skip to main content
cschmidt-leolabs
cschmidt-leolabs
New Member
December 5, 2024
Solved

Cannot apply default webfilter-profile to external Firewall policy, no error

  • December 5, 2024
  • 4 replies
  • 1962 views

Cannot apply default webfilter-profile to external Firewall policy.  It fails with no error and I am not sure what I am doing wrong or how to correct this problem. I am following the guide below while using FortiManager Cloud:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-deep-inspection-and-import-a/ta-p/196840

 

 

I can apply the below settings:

application-list - default

av-profile - default

ips-sensor - default

ssl-ssh-profile - deep-inspection

 

However, when I configure:

 

webfilter-profile - default

 

The policy fails to apply with no error, see log below:

 

Starting log (Run on device)
 
 
Start installing
testsr-fortigate $  config firewall policy
testsr-fortigate (policy) $  edit 8
testsr-fortigate (8) $  set ssl-ssh-profile "deep-inspection"
testsr-fortigate (8) $  set webfilter-profile "default"
testsr-fortigate (8) $  next
testsr-fortigate (policy) $  end
 
 
---> generating verification report
(vdom root: firewall policy 8:webfilter-profile)
remote original: 
to be installed: "default"
 
<--- done generating verification report
 
 
 
------- Start to retry --------
 
testsr-fortigate $  config firewall policy
testsr-fortigate (policy) $  edit 8
testsr-fortigate (8) $  set webfilter-profile "default"
testsr-fortigate (8) $  next
testsr-fortigate (policy) $  end
 
 
---> generating verification report
(vdom root: firewall policy 8:webfilter-profile)
remote original: 
to be installed: "default"
 
<--- done generating verification report
 
 
install failed
Best answer by cschmidt-leolabs

I solved this issue by configuring my firewall policy via the FortiManager Policy Package and deploying to the Fortigate that way.

4 replies

sjoshi
Staff
sjoshi
Staff
December 5, 2024

Hi,

 

Verify the inspection mode on the firewall policy is flow/proxy and the feature set on the webfilter profile is flow/proxy. Make sure to have it same

Thanks, Salon
cschmidt-leolabs
cschmidt-leolabsAuthor
New Member
December 6, 2024

All policies and profiles are set to Flow already

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
December 5, 2024

Hi @cschmidt-leolabs ,

 

Also please run the following commands before push:

 

diag debug cli 8

diag debug enable

 

Once you are done with the Push on FMG, disable the debug on FGT:

 

diag debug disable

diag debug cli 3

 

Then please share the outputs for further investigation.

cschmidt-leolabs
cschmidt-leolabsAuthor
New Member
December 7, 2024

I setup the debug messages but I'm not sure if I can see what the issue is from them...

 

testsr-fortigate # diag debug cli 8 Debug messages will be on for 15 minutes.  testsr-fortigate # diag debug enable  testsr-fortigate # 0: get sys status -61: get system auto-scale -61: diag sys ha checksum autoscale-cluster -61: diag sys ha autoscale-peers 0: get system interface 0: get system interface physical 0: get hardware status 0: get mgmt-data status 0: diagnose test update info contract 0: get system mgmt-csum 0: config firewall policy 0: edit 8 0: set webfilter-profile "default" 0: next 0: end 0: get sys status -61: get system auto-scale -61: diag sys ha checksum autoscale-cluster -61: diag sys ha autoscale-peers 0: get system interface 0: get system interface physical 0: get hardware status 0: get mgmt-data status 0: diagnose test update info contract 0: get system mgmt-csum 0: get sys status -61: get system auto-scale -61: diag sys ha checksum autoscale-cluster -61: diag sys ha autoscale-peers 0: get system interface 0: get system interface physical 0: get hardware status 0: get mgmt-data status 0: diagnose test update info contract 0: get sys status -61: get system auto-scale -61: diag sys ha checksum autoscale-cluster -61: diag sys ha autoscale-peers 0: get system interface 0: get system interface physical 0: get hardware status 0: get mgmt-data status 0: diagnose test update info contract 0: config firewall policy 0: edit 8 0: set webfilter-profile "default" 0: next 0: end 0: get sys status -61: get system auto-scale -61: diag sys ha checksum autoscale-cluster -61: diag sys ha autoscale-peers 0: get system interface 0: get system interface physical 0: get hardware status 0: get mgmt-data status 0: diagnose test update info contract 0: get system mgmt-csum 0: get sys status -61: get system auto-scale -61: diag sys ha checksum autoscale-cluster -61: diag sys ha autoscale-peers 0: get system interface 0: get system interface physical 0: get hardware status 0: get mgmt-data status 0: diagnose test update info contract 0: get sys status 0: get system central-management 0: get system ip-conflict status 0: get sys status 0: get system central-management 0: get system ip-conflict status

 

HarshChavda
Staff
HarshChavda
Staff
December 5, 2024

Hello 

 

Can you confirm if the default web filter profile  on the FortiGate and is synced with FortiManager. Also check if it's in the correct VDOM 

cschmidt-leolabs
cschmidt-leolabsAuthor
New Member
December 7, 2024

They look the same but I have more profiles i Fortimanager than I do on the Fortigate.

I am not using any VDOMs

cschmidt-leolabs
cschmidt-leolabsAuthorAnswer
New Member
December 12, 2024

I solved this issue by configuring my firewall policy via the FortiManager Policy Package and deploying to the Fortigate that way.

Terms & ConditionsAccessibility statement