| Description |
This article describes the troubleshooting steps when trying to push policies from FortiManager to FortiGate the FortiManager policy push fails and provides either of these errors: 'error :3 -max entry. object: firewall address. details: global limit. solution: limit is 5000' 'error :3 - max entry. object: firewall service custom. detail: per-vdom limit. solution: limit is 100' |
| Scope | FortiGate, FortiManager. |
| Solution |
When trying to push policies from FortiManager to FortiGate the FortiManager policy push is failed and gives the error 'error :3 -max entry. object: firewall address. details: global limit. solution: limit is 5000'
This happens when the Maximum table value size of the FortiGate reaches its limit. The table size limit can vary from FortiGate to FortiGate and can be found Maximum Values Table. And this table size cannot be increased as it is a fixed limit.
On FortiGate, it can be checked from the GUI under System -> Global Resources.
Alternatively, it can also be checked with the command below:
print tablesize
The solution is to delete all of the unused firewall addresses from the FortiGate so the table size frees up. It can be done under Policies & Objects -> Addresses.
Once all of the unused or unwanted firewall addresses are removed the policy push from the FortiManager to FortiGate will be successful. In the example image below, the target VDOM had reached the maximum allowed number of Custom Firewall Service objects (100) as defined by the per-VDOM resource limits.
When FortiGate attempted to copy the global objects into the VDOM, it could not create additional entries because the limit was already exhausted and resulted in below error while doing the policy install from FortiManager.
Copy device global objects Post vdom failed: Copy objects for vdom DMZ
Configuration steps:
Note: In Split-Task or Multi-VDOM mode, FortiGate supports both Global and per-VDOM resource limits.
|
