FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ydong01
Staff
Staff

Description
This article describes how to fix FortiManager Copy Failed issue with Invalid extintf for Dynamic VIP.

FortiManager has a different behaviour towards Dynamic VIP in the new versions. When defining VIPs in the old versions, the external interface setting only appears in the per-device settings, not in the global settings. The newer versions have an external interface on both global settings and per-device settings. After importing a device, some VIP become Dynamic VIP. When pushing an existing policy to a new FortiGate, it may sometimes cause the error (
errcode)-2 – firewall vip x.x.x.x: invalid extintf without special interface shown.

Fixing the issue involves checking the Dynamic VIP, checking the match between the global settings and the per-device settings, and disabling the per-device mapping.


Solution
1) Pushing a policy in FortiManager causes 'copy failed' and '(errcode)-2 – firewall vip x.x.x.x: invalid extintf'.

2) Use exec fmpolicy print-adom-object to check the match between global settings and per-device mapping:

 

exec fmpolicy print-adom-object 133 173 vip4
Dump object [vip4] of category [firewall vip] in adom [FGT5-2]:
---------------
config firewall vip
    edit "vip4"
        set uuid c258bea4-97b3-51e9-07f4-74a9dbb8c420
        set extip 10.56.240.153
        set mappedip "10.173.0.153"
config dynamic_mapping
    edit "Skywalker-kvm68"-"root"
        set extintf "any"
        set extip 10.56.240.153
        set mappedip 10.173.0.153
        set uuid ac721886-97b5-51e9-61ff-0e8275cbc020

3) Disable the per-device mapping.

 

exec fmpolicy print-adom-object 133 173 vip4
Dump object [vip3] of category [firewall vip] in adom [FGT5-2]:
---------------
config firewall vip
    edit "vip4"
        set uuid b89b3266-97b3-51e9-bf1a-e771d09ad58a
        set extip 10.56.240.153
        set extintf "any"
        set mappedip "10.173.0.153"

4) Policy push succeeds.


Disabling per-device mapping fixes the issue.

 

Contributors