Skip to main content
dbeitler
dbeitler
Visitor III
January 15, 2025
Solved

why does fortimanger require name resoluton when creating a subnet address

  • January 15, 2025
  • 5 replies
  • 3552 views

Looked at the admin guide, and the example it shows, is www.google.com (As a subnet object???)

Need to add a simple subnet object like "192.168.0.0/16".  Is this possible?

I have many address objects of type Subnet, that were created in a FortiGate before FortiManager came along. 

 

When trying to add in FortiManager, It clears the subnet address I try to add within IP/Netmask and then says "Invalid IP address"

Does FortiManager have a different concept of a subnet address object than the FortiGate does?

I know I can add an IP range (probably), but that means I have to go through and edit "all" of the exiting definitions.

 

In the FortiGate, when adding a subnet object, I can name it something like "sn-bob" and it does (or at least did not previously) require that it resolve to anything.

 

I'm hoping that I am missing something stupid.

 

    Best answer by dingjerry_FTNT

    Thank you, @dbeitler .

     

    I can reproduce this issue in my lab FMG 7.2.8.

     

    And I have found an existing Mantis for this issue:  1069285 This bug is for FMG 7.2 train only.

     

    The fix is included in FMG 7.2.10 or later.

    5 replies

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    January 15, 2025

    Hi @dbeitler ,

     

    1) Please provide the link of the admin guide you are talking about the example with "www.google.com";

    2) There is no subnet object such thing.  I guess you are talking about address objects with subnet type. If so, "www.google.com" must be the name of the address object with the type of "subnet":

     

    dingjerry_FTNT_0-1736964954990.png

    If so, you may use anything you want for the name.   But I would admit that it is not a good example to use "www.google.com" as the name for the "192.168.0.0/16" subnet.

     

    3)  "Invalid IP address"

    Can you provide a screenshot at least?

    4) "Does FortiManager have a different concept of a subnet address object than the FortiGate does?"

    FMG does follow the same concepts with FortiOS, otherwise, it will be causing a major issue to the FortiGate.

     

    5) "In the FortiGate, when adding a subnet object, I can name it something like "sn-bob" and it does (or at least did not previously) require that it resolve to anything."

     

    Again, there is no so-called subnet object. If you are talking about the Subnet type of an address object, no, we do not require it to be resolved to anything.   

     

    Please provide a screenshot as well.

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    January 15, 2025

    We will resolve the FQDN only.

     

    dingjerry_FTNT_0-1736965365077.png

    For example, the above screenshot shows an address object with FQDN type.

     

    it will resolve "docs.google.com", not "www.google.com".

    dbeitler
    dbeitlerAuthor
    Visitor III
    January 15, 2025

    subnet.png

    and yes, I am referring to address objects of type subnet.

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    January 15, 2025

    Hi @dbeitler ,

     

    1) Where did you capture the screenshot?  FGT or FMG?

    2) The "resolve from name" does not mean you HAVE TO resolve the name.  It is a convenient way for you to get the value of the IP if the name is resolvable. Like the floating tips said, the name must be valid FODN.

    Once it is resolved, absolutely you can modify it as needed. And of course you can still keep it, but at least you have to add a network mask.

    dbeitler
    dbeitlerAuthor
    Visitor III
    January 15, 2025

    This was in Policy & Objects, Object Configurations , Firewall Objects, Addresses, Create New, Address

    When I tab out of the IP/Netmask section, it clears it, and proclaims "Invalid address"

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    January 15, 2025

    Hi @dbeitler ,

     

    What is the firmware version of your FMG?  And it is still better to provide a screenshot.

    dbeitler
    dbeitlerAuthor
    Visitor III
    January 15, 2025

    Does the same if I edit an existing one.  If I tweak the IP/Netmask field, then tab out. Same result.

    dbeitler
    dbeitlerAuthor
    Visitor III
    January 15, 2025

    haha.  I knew it was something simple.

    If I add a subnet in IP/Netmask, then with the mouse, go to another section, comments for example, it retains what I enter.

    If I add a subnet in IP/Netmask, then tab down, it passes by and apparently auto-selects "Resolve from name"

    Is that a bug, or a feature?

    dingjerry_FTNT
    Staff
    dingjerry_FTNT
    Staff
    January 15, 2025

    Hi @dbeitler ,

     

    "If I add a subnet in IP/Netmask, then tab down, it passes by and apparently auto-selects "Resolve from name" "

     

    I am a little bit confused by this.  Do you mean:

     

    1) You entered the value for the IP/Netmask field

    2) You pressed the "Tab" key, and the focus would move to "Resolve from name"

     

    If so, this is programming stuff. If you keep pressing Tab, the focus will move to Comment later.

     

    If the above is not your case, please provide more info, like the steps I described. 

    Terms & ConditionsCookie settingsAccessibility statement