Editing any parameter of tunnel interfaces whose IP/Netmask is set to 0.0.0.0/0.0.0.0 will result in FortiManager showing an error 'A tunnel IP must have a mask of 255.255.255.255'. The user can still modify parameters directly on FortiGate, which will be updated on FortiManager through auto-update or config retrieval, but modification directly on FortiManager will throw the following error. 

This is a known issue in FortiManager v7.2.x and FortiManager v7.4.6 and below versions. This issue will be fixed in versions 7.4.7, and 7.6.3 of the FortiManager as part of issue ID 1101829.

The workaround for this issue is to make the changes on these tunnel interfaces using the CLI script in the FortiManager.

For example:

The user wants to allow PING, HTTP & HTTPS access on the IPSec tunnel Spoke-HUB.

The following steps should be followed.

1. Create a CLI script under Device Manager -> Script and specify Type: CLI Script, Run script on: Device Database.
   
   
   
2. Execute the CLI script on FortiGate.
3. The changes will be updated and reflected on the tunnel Interface in FortiManager and can be installed on the FortiGate using the install wizard.