Troubleshooting Tip: Install policy package failed due to 'validation error on firewall policy xxx in policy package/block, by address check'

Description

This article describes how to troubleshoot when an error occurred when installing the policy package shows an error as per below:

Scope

FortiManager, FortiGate.

Solution

Debug command:

diag debug application securityconsole 255

diag debug enable

Debug output:

SECURITY_CONSOLE: Installing firewall policy
SECURITY_CONSOLE: [FGT2[copy] root] Dynamic Local Certificate Fortinet_CA_SSL not resolved, policyid=1071741825
SECURITY_CONSOLE: [FGT2[copy] root] VIP VS1 validation failed, policyid=1071741825
SECURITY_CONSOLE: [FGT2[copy] root] validation error on firewall policy 1071741825 in policy block "PB Test", by address check
SECURITY_CONSOLE: [FGT2[copy] root] Dynamic Local Certificate Fortinet_CA_SSL not resolved, policyid=2
SECURITY_CONSOLE: [FGT2[copy] root] VIP VS1 validation failed, policyid=2
SECURITY_CONSOLE: [FGT2[copy] root] validation error on firewall policy 2 in policy package "Test", by address check
SECURITY_CONSOLE: Installing firewall policy completed - 0 entries installed, 2 errors

From the debug logs, the object (Virtual IP) used in the policies consists of Local Certificate, which it should map the per-device mapping on each device.

Related articles:

Install policy package error 'error firewall addrgrp - xxx :44 - address' 
Install error failed due to Provisioning Template (error -999)

Install policy package error 'error filters - xx : -xx - invalid category ID'