Skip to main content
Gbarnes619
Gbarnes619
New Member
January 10, 2013
Question

Fortigate 50B not accepting dstaddr for firewall policy

  • January 10, 2013
  • 10 replies
  • 9271 views
Hi all, I had to resort to reaching out here as I cannot seem to determine what the problem is. I have set up a firewall object-VIP and am attempting to set up the Firewall Policy but every time I make the entry it does not have my VIP in the dstaddr field of the policy. When I attempted to do it via CLI, it errored out with: commands.c:3952 cmf_query_table_delete() error Command fail. Return code -1 The command I attempted was: config firewall policy edit 11 set dstaddr XXXXX edit 11 set srcintf " wan1" set dstintf " internal" set srcaddr " any" set dstaddr " " set action accept set schedule " always" set service " SSH" set logtraffic enable set nat enable next Can someone explain what is happening and why I can' t set the dstaddr? Thanks in advance, -Greg

    10 replies

    rwpatterson
    rwpatterson
    New Member
    January 10, 2013
    Welcome to the forums. Make sure the interface on the VIP definition is the same as the SOURCE interface in the policy. (Been there, pulled out many a hair myself...)
    Gbarnes619
    Gbarnes619Author
    New Member
    January 10, 2013
    It is the same. I even tried cloning an identical Policy and replacing the destination addr with the new one but it won' t take it. When I right click on the destination in the gui, and change it to the proper one, it says " Invalid length of value." Every single thing is the same as the identical policy. Soooooo confused.
    rwpatterson
    rwpatterson
    New Member
    January 10, 2013
    From the CLI, please get the following: 
      # show firewall policy # <policy_number>  # show firewall vip " <VIP name here>"
    Obfuscate any IP addresses or names you don' t want public.
    Gbarnes619
    Gbarnes619Author
    New Member
    January 10, 2013
    config firewall policy edit 11 set srcintf " YYYY" set dstintf " internal" set srcaddr " any" set dstaddr " " set action accept set schedule " always" set service " SSH" set logtraffic enable set nat enable next end config firewall vip edit " XYXYXYXYX" set extip XXX.XXX.XXX.XXX set extintf " YYYY" set portforward enable set mappedip XXX.XXX.XXX.XXX set extport XXXX set mappedport XX next end
    rwpatterson
    rwpatterson
    New Member
    January 10, 2013
    One thing, the source address needs to map to the VIP, not the destination as I posted above. Below is a working config from my firewall: 
    config firewall vip      edit " vIP-Web server"           set extintf " wan1"           set portforward enable          set mappedip 192.168.39.142          set extport 5190          set mappedport 5190      next  end    config firewall policy      edit 309          set srcintf " wan1"           set dstintf " dmz"               set srcaddr " all"                            set dstaddr " vIP-Web server"                        set action accept          set schedule " always"               set service " AOL"                    next  end
    rwpatterson
    rwpatterson
    New Member
    January 10, 2013
    From what you posted, nothing stands out. 3 more questions: 1) What firmware version is the firewall running? 2) How long (in digits) is the VIP name? 3) Are there any spaces in the VIP name? Added** Since I don' t have an outside IP mapping in my definition, is the IP address of the VIP on the subnet of the external interface?
    rwpatterson
    rwpatterson
    New Member
    January 10, 2013
    Looking at what you first posted, I don' t believe you can do the entire sequence in one pass....
    config firewall policy edit 11 set dstaddr XXXXX
    Try instead:
      FGT # config firewall policy  FGT policy # edit 11  FGT (11) # set dstaddr XXXXX  FGT (11) # end  FGT # end
    Gbarnes619
    Gbarnes619Author
    New Member
    January 10, 2013
    All my configs are identical to yours except it will not accept the dstaddr in my config. Talk about pulling my hair out.... And I don' t have any.
    Gbarnes619
    Gbarnes619Author
    New Member
    January 10, 2013
    yeah I did it in steps as you indicated. That is when I got the initial error I posted.
    Gbarnes619
    Gbarnes619Author
    New Member
    January 10, 2013
    config firewall policy (policy) # edit 11 (11) # set dstaddr XXXXX commands.c:3952 cmf_query_table_delete() error Command fail. Return code -1 (11) #
    rwpatterson
    rwpatterson
    New Member
    January 10, 2013
    What' s the firmware version?
    Gbarnes619
    Gbarnes619Author
    New Member
    January 10, 2013
    v4.0,build0496,111108 (MR3 Patch 3)
    rwpatterson
    rwpatterson
    New Member
    January 10, 2013
    Is the VIP name longer than about 16 characters? Does it have spaces embedded within?
    Gbarnes619
    Gbarnes619Author
    New Member
    January 10, 2013
    8 Characters, No spaces.
    rwpatterson
    rwpatterson
    New Member
    January 10, 2013
    The only thing I can think of is corrupt code. Have you tried upgrading to a later more stable version of code? Also, how long has that box been running? A reboot may enable you to make the change if the unit has been stressed for a long time.
    Gbarnes619
    Gbarnes619Author
    New Member
    January 10, 2013
    Box uptime is 269 days. I haven' t upgraded recently no. I' ll try a reboot.
    rwpatterson
    rwpatterson
    New Member
    January 10, 2013
    That would be the easiest thing to try.
    Terms & ConditionsAccessibility statement