When trying to install a Policy Package to a FortiGate, the user encounters the following error in the install preview:

It could appear trying to install a Policy Package on a single or a group of Multi-VDOM FortiGates after a different Policy Package was imported from a different FortiGate without VDOMs, but using the same certificate.

This happens for example in an SD-WAN deployment with Multi-VDOM Hub/Hubs while the Spokes are without VDOMs, with the certificate used to establish IPSec tunnels.

To solve the problem there are different solutions, to apply in the FortiManager ADOM containing the FortiGates with Instal preview error :

• Restore the previous range of the certificate by going to Policy & Objects > CLI Configurations (if the CLI configuration option is not available then enable the CLI configuration under feature visibility) -> searched for certificate > vpn > certificate > ca > Right click on the certificate -> Edit changing the range from global to 'vdom'.
• Create a new certificate, identical to the previous one, and add it to the Global configuration of the Multi-VDOM FortiGate Policy & Objects -> Object configurations -> CLI Only Objects -> Search for 'certificate' in the search bar then select the 'ca' under VPN --> Edit the certificate (in this example, the certificate is 'Test_CA1') and copy all information from the 'ca' section.

After that, create the certificate with the same name and use the copied value from the previous step under Device Manager -> Device & Groups -> Managed FortiGate -> Select the FortiGate -> CLI configuration -> Search for certificates in search bar -> Select ca -> Select '+ create new' -> then create the certificate.

Upon completion of one of the two procedures is possible to proceed with installing the Policy Package and the error should not appear in the Install Preview, but to push other Policy Packages on FortiGates without VDOMs could be necessary to change again the range of the certificate.