Description
This article describes how to troubleshoot the install policy package and the error 'error firewall addrgrp - xxx :44 - address'.
Scope
FortiManager, FortiGate.
Solution
Performing a debug on FortiManager will show associate firewall addresses because it failed to install:
Debug command:
diag debug application securityconsole 255
diag debug enable
Debug output:
SECURITY_CONSOLE: copy all policies: 0 hours 0 minutes 0.050321 seconds.
__add_reference_core,2478: soid=3569, mobj=fw_policy.dstaddr, Test Group fail. <- ('Test Group' is the Address Group and is assigned to the destination address in the policy).
add 1 fail references back to pending list
SECURITY_CONSOLE: (1) [Bezza-kvm08[copy] root] post commit check fail: firewall addrgrp - Test Group - address (reason:none)
SECURITY_CONSOLE: (1) [Bezza-kvm08[copy] root] post_vdom copy error:firewall addrgrp - Test Group :(errcode)44 - address (reason:none)
SECURITY_CONSOLE: (1) [Bezza-kvm08[copy] root] Copy rollbacked, due to error (reason:none)
SECURITY_CONSOLE: (1) Compile time: 0 hours 0 minutes 0.588362 seconds.
The debug explains what caused it to fail, but does not mention why. The reason for this installation error is due to the object address in the address group is associated with a different interface, which is not supported by FortiGate by design.
In FortiManager, an address group will be successfully created without throwing an error but this behavior is different when checking on FortiGate itself. It will throw a warning message if the members are assigned with a different interface.
In the current design, members in the address group with different interfaces are not supported. Proceed to change the address object interface to 'any' or the same interface with other members to rectify this install error.
Related article:
