Fortimanager cannot install policy with VIP

Forum|Forum|13 years ago
October 13, 2012
3 replies
8340 views

When attempting to add a VIP to the configuration, FortiManager barfs on validating the policy. The status shows " Copy Failed" and the logs shows this at the end: config firewall vip edit <name of VIP> set type static-nat set extip <external ip> set extintf " InternetZone" set mappedip <Internal ip> set portforward enable set protocol tcp set extport 4430 set mappedport 443 set ldb-method static set max-embryonic-connections 1000 set http-multiplex disable set http-ip-header enable set ssl-dh-bits 1024 set ssl-min-version ssl-3.0 set ssl-max-version tls-1.1 set ssl-send-empty-frags enable set ssl-client-session-state-type both set ssl-client-session-state-timeout 30 set ssl-client-session-state-max 1000 set ssl-server-session-state-type both set ssl-server-session-state-timeout 60 set ssl-server-session-state-max 100 set ssl-http-location-conversion disable set ssl-http-match-host disable set id 0 set arp-reply enable set nat-source-vip disable set gratuitous-arp-interval 0 set persistence none set http-cookie-generation 0 set http-cookie-age 60 set http-cookie-share same-ip set outlook-web-access disable set https-cookie-secure disable set ssl-mode half set ssl-client-renegotiation allow set color 0 set http-cookie-domain-from-host disable set ssl-algorithm high set ssl-pfs allow ==> invalid value Any Ideas? It' s FortiManager 4.0 MR3patch6 FortiGate 4.0 MR3patch10 on a FortiGate 100-D There is no problem adding the configuration on the device itself, but once the policy is imported to the FortiManager, it will not install onto the FortiGate.

scao_FTNT

Staff

since I did not see the full FMG db config, I am not 100% sure, but most possible reason is the policy is using the zone interface (has multiple interface mapped in device level) and using a VIP configured with zone this is currently not supported on FMG since VIP need to be for interface and a workaound is to use any interface VIP for zone policy Thanks Simon

snowman386

New Member

I do not understand why this is not possible. I always create a zone for everything so if I later need to add another interface, I do not have to redo all the firewall policies, etc. In the fortigate, an interface can belong to a zone and you can also use the same interface for a VIP. Just change the fortimanager to let you select an interface! I dont see myself needing to use the same VIP on multiple fortigates because the IPs would be different anyway. Fortimanager is the most frustrating product I have used in a long time. 5.0.1 is a real nightmare for this as now they do not let you even mix single and multiple interfaces in a global zone. It makes copying policies, etc useless between firewalls with different interface counts. 5.0.0 at least let you map a single interface to a global zone without the single interface zone box checked but it had other issues which prevented us from using it. Now 5.0.1 fixes those issues but breaks way more basic functionality.

snowman386

New Member

Dent, I was able to figure out the solution thanks to fortinet support. You must change your VIPs to use the ANY interface if the source interface is currently a fortimanager zone member. Doing this cause some issues with our LAN users accessing DMZ and internal resources using the VIP' s external IP which took me a bit to figure out. To get that to work, you have to create a firewall policy with the client zone as the source and the VIP destination as the destination zone. The destination address must be the VIP address object. Using ANY will not work.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded