FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
spathak
Staff
Staff

Description

 

This article explains few possible causes and how to troubleshoot the copy error while performing install.

During installation of Policy Package FortiManager needs to copy the used shared objects from ADOM Database to Device Database.

 

Scope

 

FortiManager

 

Solution

 

1) Installation starts with installation preparation in two steps.

 

- Write summary[preview], where FortiManager prepare all the information which needs to get install.

- Copy process, where FortiManager copy the policies and policy-related objects from ADOM DB to device DB.


And should there be any mapping or binding conflict, copy error is seen.

 

spathak_0-1662457362391.png

 

2) Few possible causes of copy error.

- Most common cause with the interface bind for address object.

Here in this example 'Test' address object bind with 'port6' under FortiManager however the same address is bind as 'any' under FortiGate

 

spathak_1-1662457446996.png       

Here, SKIP flag is because those objects are not related to specific firewall policy.

 

On FortiManager.

 

spathak_2-1662457540196.png


On FortiGate.

 

spathak_3-1662457581954.png

 

Solution: The bind-interface needs to be same interface on both the end.

Note: Interface binding change is not possible if the address is used in firewall policy.
Remove it for firewall policy later it allows us to change and re-add in policy.

 

This similar bind error can also be encounter while Import Configuration.
For details, refer the following document

https://community.fortinet.com/t5/FortiGate/Technical-Note-Policy-Package-gets-imported-incompletely...

 

- Using of SD-WAN member interface to firewall policy instead of SD-WAN  interface.

 

Copy device global objects

 

Post vdom failed:

error :131 - datasrc invalid. object: firewall policy.1:srcintf. detail: port1.
solution: data cannot be used. reason: invalid value - prop[srcintf]: firewall policy srcintf/dstintf cannot be used in system sdwan members interface(port1).

 

Solution: In the firewall policy 1, the source interface (srcintf) must be replaced by sdwan interface.


- Another common cause for copy error is with VPN Manager. While installing the Policy package, similar copy error is appearing.

resolve dynamic interface port2 failed,dev=3164,vdom=root

failed to update vpn node with device info


Solution: 
Make sure the 'Default VPN Interface' from VPN Manager should have valid interface mapping to the remote FortiGate interface

- Another cause could be the ADOM version and the FortiGate version is different.


View Install Log

Device preparation failed:

version mismatched,adom:7.2; dev:6.4


Solution: Make sure the FortiGate major version same as ADOM version.

In this case, the ADOM version is 7.2 and FortiGate is 6.4.x
To fix the issue, either keep the FortiGate in 6.4 ADOM or upgrade FortiGate to 7.2.x version.

To upgrade ADOM  refer below link:

https://community.fortinet.com/t5/FortiManager/Technical-Tip-How-to-upgrade-an-ADOM-on-FortiManager/...


-  During install if FortiManager finds two objects with same, install copy error can be seen.

 

Solution: To fix that change the name of the object.


-  Also copy error could be due the mapping or default mapping is missing

Copy objects for VDOM  root:


"firewall ssl-ssh-profile", "certificate-inspection", id=2602, SKIP - (null)
"vpn certificate ca", "andersen_CA2", id=3254, COMMIT FAIL - datasrc duplicate
"firewall policy", "1", id=3354, FAIL - Mapping or default mapping not exist. detail: Mapping or default mapping not exist. detail: Local certificate "WTASSubCA-Fortinet" not exist in target device (SN:FGT60FTK20098183)


Solution: 
Imported local certificate WTASSubCA-Fortinet will be needed on FortiGate and defined per-device mapping in the dynamic object certificate to fix the error.

Troubleshooting.

 

Download the Installation logs and view the exact reason for the error.

To get detail information run the below command from FortiManager SSH


# diag debug application securityconsole 255
# diag debug enable

 

For further troubleshooting gather the below debug from FortiManager and attach it to the ticket for TAC when trying to push the config

On the FortiManager.


# diagnose debug application securityconsole 255

# diag debug app depmanager 255

# diagnose debug application fgfmsd 255 <fgt device name>

# diagnose debug enable

# diagnose debug time enable

 

On the FortiGate.

 

# exe tac report

# diagnose debug application fgfmsd 255

# diagnose debug cli 255

# diagnose debug console time enable

# diagnose debug enable

Contributors