| Description | This article explains how to troubleshoot the GUI error ERR_FABRIC_POLICY_APPEND_FAILED. |
| Scope | FortiOS v7.2, v7.4 v7.6.1 and v7.6.2. |
| Solution |
When adding a new interface to the Local Network under Fabric Overlay Orchestrator, the GUI may display the error ERR_FABRIC_POLICY_APPEND_FAILED: Appending firewal.policy related to advertised subnet failed. Check CLI debug.
The following CLI commands can be used to diagnose this error:
diagnose debug cli diagnose enable
FG-LABVM-01 # 0: config system fabric-vpn (skipped) set action accept (skipped) set srcaddr "fabric_vpn_192.168.140.0_255.255.255.0_1" (skipped) set dstaddr "all" (skipped) set schedule "always" (skipped) set service "ALL" (skipped) set comments "Fabric VPN automatic policy."
In this example, the error occurs because the interface 'Test VLAN' belongs to a system zone. Once the interface is assigned to a zone, the interface 'Test VLAN' cannot be used as source or destination interface in a firewall Policy - only the zone can be selected.
Solution 1: Set the Policy creation option to 'Health Check' or 'Manual"'. After, manually create the firewall policies referencing the system zone as source or destination interface.
Solution 2: Upgrade the FortiGate to firmware version 7.6.3 or later, which supports automatic policy creation when interfaces are part of a zone.
Solution 3: Remove the interface from the system zone and add it to the Local Network under the Fabric Overlay Orchestrator. Note that all existing policies referencing the system zone will no longer apply to this interface; therefore, new policies may need to be created.
Related document: Fabric Overlay Orchestrator | FortiGate / FortiOS 7.4.9 | Fortinet Document Library |
