Description
This article describes how to troubleshoot a 'copy' error that occurs during installation and explains how to understand the expected behavior for zone member interfaces used in policies.
Scope
FortiManager, FortiGate.
Solution
The following is an example copy error shown when perform an installation on the policy package level:
error 42 - entry not exist. detail: Dynamic interface < interface name > mapping undefined for device < device name >
Copy device global objects
validation error on firewall policy 2, by dynamic interface check
Vdom copy failed:
error 42 - entry not exist. detail: Dynamic interface "TestZone1" mapping undefined for device Juara-kvm56
Copy objects for vdom root
Troubleshooting:
- Perform the following debug command:
diag debug application securityconsole 255
diag debug enable
Example output:
SECURITY_CONSOLE: Installing firewall policy
SECURITY_CONSOLE: [Juara-kvm56[copy] root] validation error on firewall policy 2, by dynamic interface check
SECURITY_CONSOLE: error: 42, entry not exist. detail: Dynamic interface "TestZone1" mapping undefined for device Juara-kvm56
- Check the normalized interface has per-device mapping in place for the device in the GUI and CLI:
- Checking the policies and device level interface:
Note that inside the TestZone1 zone interface, one of the members (TestVlan1) is used in the policy.
Solution:
Create a new interface zone and add TestVlan1 as member. Make sure to change the normalized interface to a zone interface instead of the interface itself. By design, zone member interfaces are not allowed in policies, which only accept zone interfaces.
Related article:
Troubleshooting Tip: FortiManager Dynamic Interface Mapping Errors.
