Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asostizzo_FTNT
Staff
Staff

Created on ‎04-01-2016 08:20 AM Edited on ‎11-23-2025 10:55 PM By Moderator

Article Id 192862

Technical Tip: Policy Package gets imported incompletely into FortiManager

Description

 
This article describes the case when FortiGate's Security Policies are imported incompletely into FortiManager as a Policy Package (PP), the administrator may inadvertently remove the Security Policies from the FortiGate when making changes and installing the PP back on the FortiGate.

To prevent this scenario, it is recommended to download and review the Import Report when running the 'Import Policy' wizard.
asostizzo_FD38544_tn_FD38544.jpg

If there are issues with not all of the Security Policies having been imported, then log lines such as the following may be seen:
 
"firewall policy",FAIL,"(name=ID:119 (#2), oid=1549, reason=interface(interface binding contradiction. detail: any<-port10) binding fail)"
"firewall policy",FAIL,"(name=ID:100 (#3), oid=1550, reason=interface(interface binding contradiction. detail: port40<-any) binding fail)"
"firewall policy",FAIL,"(name=ID:175 (#26), oid=1573, reason=interface(interface binding contradiction. detail: V350_MPLS<-port10) binding fail)"

The entries above indicate that an address object used by the specific policy already exists in FortiManager's database and has a different interface association.

For example:
 
"firewall policy",FAIL,"(name=ID:XXX (#2), oid=1549, reason=interface(interface binding contradiction. detail: YYY<-ZZZ) binding fail)"

Where:
XXX = Policy ID.
YYY = Current Interface associated with the Address Object in FortiManager's database.
ZZZ = Interface associated with the Address Object used by the Security Policy being imported.

In this example, the import fails due to the conflicting Address Object's interface association.
 
Scope
 
FortiGate, FortiManager.


Solution

 

After identifying the Address Object(s) with the conflict, there are configuration options for resolving the conflict:
  1. Change the interface association of objects with the same name to 'any'.
  2. If Object specifications (for example: IP address/mask, etc) are different, change the object name on the respective FortiGates.
  3. It is possible to create a different Object with the correct IP address to match the one configured in FortiManager and add it to the policy in FortiGate, then remove the wrong Object from the policy in FortiGate, then import the configuration to FortiManager.
  4. It is possible to choose to change the Object's name regardless of its specifications.
11336
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.