Description
When FortiGate's Security Policies are imported incompletely into FortiManager as a Policy Package (PP), the administrator may inadvertently remove the Security Policies from the FortiGate when making changes and installing the PP back on the FortiGate.
In order to prevent this scenario it is recommended to download and review the Import Report when running the "Import Policy" wizard.
If there are issues with not all of the Security Policies having been imported then log lines such as the following may be seen:
"firewall policy",FAIL,"(name=ID:119 (#2), oid=1549, reason=interface(interface binding contradiction. detail: any<-port10) binding fail)"
"firewall policy",FAIL,"(name=ID:100 (#3), oid=1550, reason=interface(interface binding contradiction. detail: port40<-any) binding fail)"
"firewall policy",FAIL,"(name=ID:175 (#26), oid=1573, reason=interface(interface binding contradiction. detail: V350_MPLS<-port10) binding fail)"
The entries above indicate that an address object used by the specific policy already exists on the FortiManager's database and has a different interface association.
For example:
"firewall policy",FAIL,"(name=ID:XXX (#2), oid=1549, reason=interface(interface binding contradiction. detail: YYY<-ZZZ) binding fail)"
where
XXX = Policy ID
YYY = Current Interface associated with the Address Object in FortiManager's database
ZZZ = Interface associated with the Address Object used by the Security Policy being imported
In this example, the import fails due to the conflicting Address Object's interface association.
Solution
After identifying the Address Object(s) with the conflict, there are configuration options for resolving the conflict:
1. Change the interface association of objects with same name to 'any'.
2. If Object specifications (for example: IP address/mask, etc) are different, change the object name on the respective FortiGates.
3. May choose to change Object's name regardless of its specifications.