FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to exclude members in an address group if user is unable to commit the changes in the firewall when it is necessary to exclude specific address object.
Solution To exclude an address object from an address group, it will not be possible to do so even though the configuration gets committed successfully.
When the address group is checked again from Policy & Objects -> Addresses -> Address Group’, notice that the exclude members option being disabled which was configured earlier.
1) This behavior is expected when the 'Static route configuration' is enabled in the address object. It will not be possible to exclude the address object with the 'Static route configuration' being enabled.
2) The 'Static route configuration' will be disabled by default and to use the address object in the static route configuration, then enable the option, otherwise keep it disabled.
It will be possible to either use 'Static route configuration' or 'Exclude members' and unable to use both of them at the same time.
3)To exclude member using an address object, make sure the 'Static route configuration' option is disabled on the specific address object and it will be possible to use that address object in an address group’s exclude member.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.