Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ffischer
New Contributor III

Cannot add a FG 5.4.8 to FM 5.6.2

Hi FortiExperts,

 

I am trying to add a configured and operational

A-P Cluster 2x FG1500D (FortiOS 5.4.8) to

a new Fortimanager 5.6.2 running on VMWare.

 

The Root ADOM (the only one) of the FM is "Fortigate Version 5.4".

 

During add I get the following Error message in Task Monitor

2018-02-07 17:26:58:reloadconffail 'datasrc invalid. object: dnsfilter profile ftgd-dns filters category 22. detail: 90. solution: data not exist

 

Indeed, 21 is the last entry in the Fortigate Config:

 

config dnsfilter profile     edit "default"         set comment "Default dns filtering."         config ftgd-dns             config filters                 edit 1                     set category 12                 next          ......

               edit 21                next             end         end     next end

The device is added, but Config Status shows " ? unknown" and policy cannot imported.

 

Any idea whats wrong and how to fix ?

 

Thanks,

Frank

 

5 REPLIES 5
chall_FTNT
Staff
Staff

This sort of error can occur if a FortiGate is downgraded from FortiOS 5.6 to FortiOS 5.4.  Additional categories could be left in the FortiGate configuration that are no longer valid for FortiOS 5.4.

 

I would look for any instances of category 22 in the FortiGate config and remove them.

Chris Hall
Fortinet Technical Support
ffischer
New Contributor III

Thanks for the fast response.

 

Indeed, the Boxes were delivered with 5.6 and downgraded to 5.4.6 and then up to 5.4.7 to 5.4.8

 

But there is no reference to a category 22 in the ftgd-dns filter. See below. I only can find "22" in Ports, UUIDs, encrypted passwords etc..

 

 

config dnsfilter profile     edit "default"         set comment "Default dns filtering."         config ftgd-dns             set options ftgd-disable             config filters                 edit 1                     set category 12                 next                 edit 2                     set category 7                 next                 edit 3                     set category 9                 next                 edit 4                     set category 64                 next                 edit 5                     set category 2                 next                 edit 6                     set category 15                 next                 edit 7                     set category 11                 next                 edit 8                     set category 66                 next                 edit 9                     set category 57                 next                 edit 10                     set category 13                 next                 edit 11                     set category 8                 next                 edit 12                     set category 14                 next                 edit 13                     set category 63                 next                 edit 14                     set category 67                 next                 edit 15                     set category 65                 next                 edit 16                     set category 16                 next                 edit 17                     set category 88                     set action block                 next                 edit 18                     set category 26                     set action block                 next                 edit 19                     set category 61                     set action block                 next                 edit 20                     set category 86                     set action block                 next                 edit 21                 next             end         end     next end

ffischer
New Contributor III

found a workaround:

 

In lab I was able to import a vFG 5.4.8  into a FM 5.6.2.

 

So I deleted all 21 filters above from the 1500D and recreated them

using the 21 filters from a fresh installed virtual 5.4.8 FG Lab system.

 

Basically the only difference I can see is the order of the entries.

AND

the item without "set"s is now # 11..

in the unimportable config, it was # 21, the last one was without set (see above)

 

here is what I created and what was imported by fmgr without error messages:

          config filters                 edit 1                     set category 2                 next                 edit 2                     set category 7                 next                 edit 3                     set category 8                 next                 edit 4                     set category 9                 next                 edit 5                     set category 11                 next                 edit 6                     set category 12                 next                 edit 7                     set category 13                 next                 edit 8                     set category 14                 next                 edit 9                     set category 15                 next                 edit 10                     set category 16                 next                 edit 11                 next                 edit 12                     set category 57                 next                 edit 13                     set category 63                 next                 edit 14                     set category 64                 next                 edit 15                     set category 65                 next                 edit 16                     set category 66                 next                 edit 17                     set category 67                 next                 edit 18                     set category 26                     set action block                 next                 edit 19                     set category 61                     set action block                 next                 edit 20                     set category 86                     set action block                 next                 edit 21                     set category 88                     set action block                 next             end

 

hope this does not screw up any internals somewhere...

ffischer
New Contributor III

Hi Simon,

after adding the FG to the FM and pushing the policy,

I checked the FG config.

there is no line category "90" in the FG config file.

Frank

scao_FTNT
Staff
Staff

Can you help for a try on FGT to download a config file, and do a search see if can find config for category 90 ?

 

Thanks

 

Simon