Description

This article describes how to troubleshoot the error '-999 - beyond the boundary' when performed in policy package installation.

Scope

FortiManager, FortiGate.

Solution

Perform a debug to understand which part of configuration causing the error:

diagnose debug application securityconsole 255

diagnose debug enable

Example outputs:

SECURITY_CONSOLE: Load dynamic obj time: 0 hours 0 minutes 0.002543 seconds.
SECURITY_CONSOLE: (1) [FGT-SPOKE[copy] root] Start copying shared objs to devdb, device(FGT-SPOKE), vdomid(root) (reason:none)
SECURITY_CONSOLE: (1) Using mm method.
TCL error(beyond the boundary).
obj rule
action:permit
flags:0
ge:17
id:1
le:17
prefix:10.119.0.0 255.255.0.0
SECURITY_CONSOLE: (1) [FGT-SPOKE[copy] root] Copy done (reason:none)
SECURITY_CONSOLE: (1) [FGT-SPOKE[copy] root] Commit failed: beyond the boundary - (in Template TestBGP) beyond the boundary (reason:none)
SECURITY_CONSOLE: (1) Compile time: 0 hours 0 minutes 0.207358 seconds.
SECURITY_CONSOLE: (1) Import time: 0 hours 0 minutes 0.019504 seconds.
SECURITY_CONSOLE: (1) Change dvm status time: 0 hours 0

This error is related to BGP configurations specifically on 'config router prefix-list' where when checking on the FortiGate itself, the error is explained in more detail.

FGT-SPOKE (IN) # show
config router prefix-list
    edit "IN"
        config rule
            edit 1
                set prefix 10.119.0.0 255.255.0.0
                set ge 17
                set le 17
            next
        end
    next
end

FGT-SPOKE (IN) # end
Invalid prefix range -- make sure: len < ge-value <= le-value object check operator error, -650, discard the setting

Command fail. Return code -650

This error mentioned 'ge' value must be greater than the prefix length and less than or equal to the 'le' value.

The combinations of 'ge' equal to 17 and 'le' equal to 19, will allow subnets 10.119.0.0/17, 10.119.0.0/18, and 10.119.0.0/19.