Skip to main content
renzanjopcaparas
renzanjopcaparas
Visitor III
March 16, 2026
Question

Unknown change blocking my Installation

  • March 16, 2026
  • 2 replies
  • 271 views

Hi Fortinet community,

 

Good day and greetings! I would like to seek for your kind advise and suggestions.

 

I have this pending changes on my managed fortigate and everytime I try to install it, it's giving me error.

I cannot locate and track these policies.

 

 
++++++++++++++++++++++++++++++
Starting log (Run on device)
 
 
Start installing
FIREWALL-1 $  config vdom
FIREWALL-1 (vdom) $  edit root
current vf=root:0
FIREWALL-1 (root) $  config firewall policy
FIREWALL-1 (policy) $  edit 1
FIREWALL-1 (1) $  set uuid aaaaaaaaa
FIREWALL-1 (1) $  unset action
FIREWALL-1 (1) $  unset srcintf
FIREWALL-1 (1) $  unset dstintf
FIREWALL-1 (1) $  unset srcaddr
FIREWALL-1 (1) $  unset dstaddr
FIREWALL-1 (1) $  unset schedule
FIREWALL-1 (1) $  unset service
The attribute can't be empty!
command_cli_unset:6496 clear MEMBER table oper error. ret=-56
Command fail. Return code -56
FIREWALL-1 (1) $  unset utm-status
FIREWALL-1 (1) $  unset ssl-ssh-profile
FIREWALL-1 (1) $  unset av-profile
FIREWALL-1 (1) $  unset webfilter-profile
FIREWALL-1 (1) $  unset ips-sensor
FIREWALL-1 (1) $  unset application-list
FIREWALL-1 (1) $  next
Attribute 'srcintf' MUST be set.
Command fail. Return code 1
FIREWALL-1 (policy) $  edit 2
FIREWALL-1 (2) $  set uuid bbbbbbbbbbbbb
FIREWALL-1 (2) $  unset action
FIREWALL-1 (2) $  unset srcintf
FIREWALL-1 (2) $  unset dstintf
FIREWALL-1 (2) $  unset srcaddr
FIREWALL-1 (2) $  unset dstaddr
FIREWALL-1 (2) $  unset schedule
FIREWALL-1 (2) $  unset service
The attribute can't be empty!
command_cli_unset:6496 clear MEMBER table oper error. ret=-56
Command fail. Return code -56
FIREWALL-1 (2) $  unset utm-status
FIREWALL-1 (2) $  unset ssl-ssh-profile
FIREWALL-1 (2) $  unset av-profile
FIREWALL-1 (2) $  unset webfilter-profile
FIREWALL-1 (2) $  unset ips-sensor
FIREWALL-1 (2) $  unset application-list
FIREWALL-1 (2) $  next
Attribute 'srcintf' MUST be set.
Command fail. Return code 1
FIREWALL-1 (policy) $  end
FIREWALL-1 (root) $  end
 
 
---> generating verification report
(vdom root: firewall policy 1:uuid)
remote original: ccccccccccccccc
to be installed: aaaaaaaaa
 
(vdom root: firewall policy 1:action)
remote original: accept
to be installed: 
 
(vdom root: firewall policy 1:srcintf)
remote original: "vw1"
to be installed: 
 
(vdom root: firewall policy 1:dstintf)
remote original: "vw2"
to be installed: 
 
(vdom root: firewall policy 1:srcaddr)
remote original: "all"
to be installed: 
 
(vdom root: firewall policy 1:dstaddr)
remote original: "all"
to be installed: 
 
(vdom root: firewall policy 1:schedule)
remote original: "always"
to be installed: 
 
(vdom root: firewall policy 1:service)
remote original: "ALL"
to be installed: 
 
(vdom root: firewall policy 1:utm-status)
remote original: enable
to be installed: 
 
(vdom root: firewall policy 1:ssl-ssh-profile)
remote original: "certificate-inspection"
to be installed: 
 
(vdom root: firewall policy 1:av-profile)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 1:webfilter-profile)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 1:ips-sensor)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 1:application-list)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 2:uuid)
remote original: dddddddddddddd
to be installed: bbbbbbbbbbbbb
 
(vdom root: firewall policy 2:action)
remote original: accept
to be installed: 
 
(vdom root: firewall policy 2:srcintf)
remote original: "vw2"
to be installed: 
 
(vdom root: firewall policy 2:dstintf)
remote original: "vw1"
to be installed: 
 
(vdom root: firewall policy 2:srcaddr)
remote original: "all"
to be installed: 
 
(vdom root: firewall policy 2:dstaddr)
remote original: "all"
to be installed: 
 
(vdom root: firewall policy 2:schedule)
remote original: "always"
to be installed: 
 
(vdom root: firewall policy 2:service)
remote original: "ALL"
to be installed: 
 
(vdom root: firewall policy 2:utm-status)
remote original: enable
to be installed: 
 
(vdom root: firewall policy 2:ssl-ssh-profile)
remote original: "certificate-inspection"
to be installed: 
 
(vdom root: firewall policy 2:av-profile)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 2:webfilter-profile)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 2:ips-sensor)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 2:application-list)
remote original: "g-default"
to be installed: 
 
<--- done generating verification report
 
 
 
------- Start to retry --------
 
FIREWALL-1 $  config vdom
FIREWALL-1 (vdom) $  edit root
current vf=root:0
FIREWALL-1 (root) $  config firewall policy
FIREWALL-1 (policy) $  edit 1
FIREWALL-1 (1) $  set uuid aaaaaaaaa
FIREWALL-1 (1) $  unset action
FIREWALL-1 (1) $  unset srcintf
FIREWALL-1 (1) $  unset dstintf
FIREWALL-1 (1) $  unset srcaddr
FIREWALL-1 (1) $  unset dstaddr
FIREWALL-1 (1) $  unset schedule
FIREWALL-1 (1) $  unset service
The attribute can't be empty!
command_cli_unset:6496 clear MEMBER table oper error. ret=-56
Command fail. Return code -56
FIREWALL-1 (1) $  unset utm-status
FIREWALL-1 (1) $  unset ssl-ssh-profile
FIREWALL-1 (1) $  unset av-profile
FIREWALL-1 (1) $  unset webfilter-profile
FIREWALL-1 (1) $  unset ips-sensor
FIREWALL-1 (1) $  unset application-list
FIREWALL-1 (1) $  next
Attribute 'srcintf' MUST be set.
Command fail. Return code 1
FIREWALL-1 (policy) $  edit 2
FIREWALL-1 (2) $  set uuid bbbbbbbbbbbbb
FIREWALL-1 (2) $  unset action
FIREWALL-1 (2) $  unset srcintf
FIREWALL-1 (2) $  unset dstintf
FIREWALL-1 (2) $  unset srcaddr
FIREWALL-1 (2) $  unset dstaddr
FIREWALL-1 (2) $  unset schedule
FIREWALL-1 (2) $  unset service
The attribute can't be empty!
command_cli_unset:6496 clear MEMBER table oper error. ret=-56
Command fail. Return code -56
FIREWALL-1 (2) $  unset utm-status
FIREWALL-1 (2) $  unset ssl-ssh-profile
FIREWALL-1 (2) $  unset av-profile
FIREWALL-1 (2) $  unset webfilter-profile
FIREWALL-1 (2) $  unset ips-sensor
FIREWALL-1 (2) $  unset application-list
FIREWALL-1 (2) $  next
Attribute 'srcintf' MUST be set.
Command fail. Return code 1
FIREWALL-1 (policy) $  end
FIREWALL-1 (root) $  end
 
 
---> generating verification report
(vdom root: firewall policy 1:uuid)
remote original: ccccccccccccccc
to be installed: aaaaaaaaa
 
(vdom root: firewall policy 1:action)
remote original: accept
to be installed: 
 
(vdom root: firewall policy 1:srcintf)
remote original: "vw1"
to be installed: 
 
(vdom root: firewall policy 1:dstintf)
remote original: "vw2"
to be installed: 
 
(vdom root: firewall policy 1:srcaddr)
remote original: "all"
to be installed: 
 
(vdom root: firewall policy 1:dstaddr)
remote original: "all"
to be installed: 
 
(vdom root: firewall policy 1:schedule)
remote original: "always"
to be installed: 
 
(vdom root: firewall policy 1:service)
remote original: "ALL"
to be installed: 
 
(vdom root: firewall policy 1:utm-status)
remote original: enable
to be installed: 
 
(vdom root: firewall policy 1:ssl-ssh-profile)
remote original: "certificate-inspection"
to be installed: 
 
(vdom root: firewall policy 1:av-profile)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 1:webfilter-profile)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 1:ips-sensor)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 1:application-list)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 2:uuid)
remote original: dddddddddddddd
to be installed: bbbbbbbbbbbbb
 
(vdom root: firewall policy 2:action)
remote original: accept
to be installed: 
 
(vdom root: firewall policy 2:srcintf)
remote original: "vw2"
to be installed: 
 
(vdom root: firewall policy 2:dstintf)
remote original: "vw1"
to be installed: 
 
(vdom root: firewall policy 2:srcaddr)
remote original: "all"
to be installed: 
 
(vdom root: firewall policy 2:dstaddr)
remote original: "all"
to be installed: 
 
(vdom root: firewall policy 2:schedule)
remote original: "always"
to be installed: 
 
(vdom root: firewall policy 2:service)
remote original: "ALL"
to be installed: 
 
(vdom root: firewall policy 2:utm-status)
remote original: enable
to be installed: 
 
(vdom root: firewall policy 2:ssl-ssh-profile)
remote original: "certificate-inspection"
to be installed: 
 
(vdom root: firewall policy 2:av-profile)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 2:webfilter-profile)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 2:ips-sensor)
remote original: "g-default"
to be installed: 
 
(vdom root: firewall policy 2:application-list)
remote original: "g-default"
to be installed: 
 
<--- done generating verification report
 
 
install failed

+++++++++++++++

 

Most of the error on the installation is this 

The attribute can't be empty!
command_cli_unset:6496 clear MEMBER table oper error. ret=-56

 

May I ask for help?

 

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
March 16, 2026

have you tried importing the config from the FGT again into FMG and see what happens?

maybe at some points some interfaces were deleted locally on the FGT and the changes never been imported into FMG.

"jack of all trades, master of none"
farhanahmed
Staff
farhanahmed
Staff
March 16, 2026

@renzanjopcaparas 
What is the firmware version of FMG ?

The error: 
         The attribute can't be empty!
         command_cli_unset:6496 clear MEMBER table oper error. ret=-56

Does this show up after the "unset service" command ?

Share the actual log (redact private info).

- Make sure you are running FMG v7.4.10 or v7.6.6.
- And as 'funkylicious' stated, try Importing Config to update policy package and see if that resolves the issue.

renzanjopcaparas
renzanjopcaparasAuthor
Visitor III
March 19, 2026

Hi @farhanahmed , Yes, it shows up after the unset command. 

 

My FMG is 7.6.6

farhanahmed
Staff
farhanahmed
Staff
March 19, 2026

There was an earlier bug about this - with FGT 7.0 - but was fixed in FMG v7.6.3.
I would suggest to open a ticket and let TAC check the issue... probably some regression of old bug.

Terms & ConditionsAccessibility statement