Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

cannot deploy policy package after adom upgrade to 6.4

Hiho,

 

I have an adom which used to bei v6.2 before. As long as it was 6.2 all worked fine even after upgrading the FortiManager to v6.4. Once I upgraded the adom (and the global adom as it provides objects that are used in that adom) to v.6.4 I cannot deploy the policy package anymore. FMG just says deployment has failed but it doesn't let me know why or at which point :(

Installation log does not show any error.

And the usuall cli debug levels don't show any error too. Also there is much less debug info in 6.4 than there used to be in 6.2.

There is almost no debugging output written during the deployment process even with several debuglevels set to 255:

 

I also opened a ticket with TAC but even they did not yet provide a solution or hint.

Does anyone have some idea how further debugging in 6.4 could be done to maybe find the problem?

 

cheers

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

1 Solution
sw2090
Honored Contributor

Update: I seem to have found out why this happened.

The Problem was that FMG tried to set options in webfilter profiles that are coming form global adom.

In fact the Webfilter Profiles are configured to be "Flow-based" but FMG always tried to set somne options that are only available if the profile is in Proxy mode. If I switched the profile to proxy in global adom I saw those options were enabled and disabled them. Then afterwards switched the profile back to flow-based and re-assigned the global objects to my adom. 

After I did that The deployment of the policy package worked again.

 

I'd consider this to be a bug in FMG 6.4 since otions that are not available depending on object configuration should be ignored even if they're enabled because they then cannot be set.

 

With that I also found two more Bugs/issues in FMG 6.4:

 

- FMG allows you to have objects with dynamic mapping without having a valid mapping for all installation targets that use that object AND not having a default mapping which causes undefined statuses on installation targets that don't have a mapping specified. This has been confirmed to me by TAC and is on the 6.4 Buglist. It is said to have been fixed in 6.4.7.

 

- I also noticed that some policies for unknown reason completely lost their installation target(s) upon upgrading the adom from 6.2 to 6.4.  Reported this to TAC.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

1 REPLY 1
sw2090
Honored Contributor

Update: I seem to have found out why this happened.

The Problem was that FMG tried to set options in webfilter profiles that are coming form global adom.

In fact the Webfilter Profiles are configured to be "Flow-based" but FMG always tried to set somne options that are only available if the profile is in Proxy mode. If I switched the profile to proxy in global adom I saw those options were enabled and disabled them. Then afterwards switched the profile back to flow-based and re-assigned the global objects to my adom. 

After I did that The deployment of the policy package worked again.

 

I'd consider this to be a bug in FMG 6.4 since otions that are not available depending on object configuration should be ignored even if they're enabled because they then cannot be set.

 

With that I also found two more Bugs/issues in FMG 6.4:

 

- FMG allows you to have objects with dynamic mapping without having a valid mapping for all installation targets that use that object AND not having a default mapping which causes undefined statuses on installation targets that don't have a mapping specified. This has been confirmed to me by TAC and is on the 6.4 Buglist. It is said to have been fixed in 6.4.7.

 

- I also noticed that some policies for unknown reason completely lost their installation target(s) upon upgrading the adom from 6.2 to 6.4.  Reported this to TAC.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post