FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asostizzo_FTNT
Article Id 192862

Description

When FortiGate's Security Policies are imported incompletely into FortiManager as a Policy Package (PP), the administrator may inadvertently remove the Security Policies from the FortiGate when making changes and installing the PP back on the FortiGate.

In order to prevent this scenario it is recommended to download and review the Import Report when running the "Import Policy" wizard.

asostizzo_FD38544_tn_FD38544.jpg

If there are issues with not all of the Security Policies having been imported then log lines such as the following may be seen:
"firewall policy",FAIL,"(name=ID:119 (#2), oid=1549, reason=interface(interface binding contradiction. detail: any<-port10) binding fail)"
"firewall policy",FAIL,"(name=ID:100 (#3), oid=1550, reason=interface(interface binding contradiction. detail: port40<-any) binding fail)"
"firewall policy",FAIL,"(name=ID:175 (#26), oid=1573, reason=interface(interface binding contradiction. detail: V350_MPLS<-port10) binding fail)"

The entries above indicate that an address object used by the specific policy already exists on the FortiManager's database and has a different interface association.

For example:
"firewall policy",FAIL,"(name=ID:XXX (#2), oid=1549, reason=interface(interface binding contradiction. detail: YYY<-ZZZ) binding fail)"

where

XXX = Policy ID
YYY = Current Interface associated with the Address Object in FortiManager's database
ZZZ = Interface associated with the Address Object used by the Security Policy being imported

In this example, the import fails due to the conflicting Address Object's interface association.


Solution

After identifying the Address Object(s) with the conflict, there are configuration options for resolving the conflict:

1. Change the interface association of objects with same name to 'any'.

2. If Object specifications (for example: IP address/mask, etc) are different, change the object name on the respective FortiGates.

3. May choose to change Object's name regardless of its specifications.
 

 

Contributors