When pushing a configuration change from FortiManager to FortiGate, especially the configuration change of a VIP entry, the following error can be seen:

FortiGate (NetScaler_VIP) $ set status disable
Cannot disable used VIP.

The reason for this error is that this VIP entry is already being used on the configuration, specifically used on a firewall policy, as seen below:

config firewall policy
    edit 5
        set status disable
        set name "5"
        set uuid 21a3efce-0382-54f0-2467-597344d287f8
        set srcintf "INTER"
        set dstintf "SECURED_ZONE"
        set action accept
        set srcaddr "all"
        set dstaddr NetScaler_VIP"
        set schedule "always"
        set service "HTTPS" "HTTP"
        set logtraffic all
        set global-label "Internet_Inside"
    next

Even if this firewall policy is disabled, the VIP entry will still be marked as used.

To mitigate the behavior, another VIP entry can be used on the configuration in the firewall policy instead, or the firewall policy should be deleted altogether.

Note:
To verify the VIP entry reference to see where it is being used, go to Policy & Objects > Virtual IPs and click on Ref column for each entry.

Note:

Disabling virtual IPs can only be done if the FortiGate is using central NAT mode. This feature was introduced in v7.0: Allow VIPs to be enabled or disabled in central NAT mode.