I have two 300C Fortigates, both running v5.2.13,build762. As of this morning I cannot access the Address objects via the web interface on either firewall. I can access other items under the Objects node, like VIPs, or services. If I try to access the Addresses screen under Policy and Objects I get the spinning progress indicator and it never goes away. Neither firewall is reporting high resource utilization. Has anyone else encountered this? I'll probably just reboot tohe one firewall that isn't mission critical, but rebooting the other one will be tricky due the business demands.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We have numerous devices of varying models (100Ds, 300Ds, 80Cs, 110Cs) demonstrating this issue. It does not seem model or firmware specific as these devices are running either v5.2.11 or v5.4.x. We have not been able to correlate any specific pattern or firmware. We manage hundreds more devices of similar model/firmware which are not experiencing the issue. We are leaning towards an a compatibility issue with Fortiguard services packs but unsure which specific one (IP reputation, AV/APP/IPS etc).
If you use geo based address objects there is a problem with the latest database. Asia Pacific was removed. Removing that from a policy and deleting it from address objects resolved our issues. Maybe there are other changes, but that was the fix while working with support for us. I was told the issues will affect 5.2 through 5.4.9, but 5.6.5 is unaffected. We are currently on 5.2.13.
- Justin
Got it! Fortinet removed the "EU" and "AP" country codes so any geo object referencing these two country codes will cause the issue.
Final word from support:
"We made a switch from a third party to our in-house GEO DB. The following were Legacy GEO IP addresses which contained no info: A1 Anonymous Proxy A2 Satellite Provider AP Asia/Pacific Region EU Europe "
- Justin
I rebooted one of the firewalls, and the Addresses are still not visible.
Does it coincide with an upgrade to 5.2.13? Then likely a bug. You most likely need to downgrade to the previous version, or upgrade it to at least the next generation 5.4.x. 5.2 is already ancient. You have to migrate anyway.
Unfortunately, per my last conversation with Fortinet in October 2017, upgrading a 300C to 5.4 is not supported. The 300C is supported by Fortinet, just not on any "current" FortiOS. And no, this did not coincide with the upgrade. We upgraded almost three months ago to 5.2.13, and just started having the problem today.
I see. I didn't check if 5.4 supports 300C. Have you tried all possible browsers? If so this might have found a dead end.
We have numerous devices of varying models (100Ds, 300Ds, 80Cs, 110Cs) demonstrating this issue. It does not seem model or firmware specific as these devices are running either v5.2.11 or v5.4.x. We have not been able to correlate any specific pattern or firmware. We manage hundreds more devices of similar model/firmware which are not experiencing the issue. We are leaning towards an a compatibility issue with Fortiguard services packs but unsure which specific one (IP reputation, AV/APP/IPS etc).
If you use geo based address objects there is a problem with the latest database. Asia Pacific was removed. Removing that from a policy and deleting it from address objects resolved our issues. Maybe there are other changes, but that was the fix while working with support for us. I was told the issues will affect 5.2 through 5.4.9, but 5.6.5 is unaffected. We are currently on 5.2.13.
- Justin
That worked! Now to figure out which of the following geo objects is causing the issue (spoiler, it is not "Asia-Pacific-Region"):
Geo_Afghanistan Geo_Aland-Is Geo_Albania Geo_American-Samoa Geo_Andorra Geo_Angola Geo_Anguilla Geo_Antarctica Geo_Antigua&Barbuda Geo_Armenia Geo_Aruba Geo_Asia-Pacific-Region Geo_Azerbaijan Geo_Bahamas Geo_Bahrain Geo_Bangladesh Geo_Barbados Geo_Belarus Geo_Belgium Geo_Belize Geo_Benin Geo_Bermuda Geo_Bhutan Geo_Bolivia Geo_Bonaire Geo_Bosnia&Herzegovina Geo_Botswana Geo_Bouvet-Is Geo_British-Indian-Ocean-Ter Geo_Brunei-Darussalam Geo_Bulgaria Geo_Burkina-Faso Geo_Burundi Geo_Cambodia Geo_Cameroon Geo_Cape-Verde Geo_Cayman-Is Geo_Central-African-Rep Geo_Chad Geo_Christmas-Is Geo_Cocos_Is Geo_Comoros Geo_Congo Geo_Cook-Is Geo_Costa-Rica Geo_Cote-dIvoire Geo_Croatia Geo_Cuba Geo_Curacao Geo_Cyprus Geo_Czech-Rep Geo_Djibouti Geo_Dominica Geo_Ecuador Geo_El-Salvador Geo_Equatorial-Guinea Geo_Eritrea Geo_Estonia Geo_Ethiopia Geo_Europe Geo_Falkland-Is Geo_Faroe-Is Geo_Fiji Geo_Finland Geo_French-Guiana Geo_French-Polynesia Geo_French-S-Ter Geo_Gabon Geo_Gambia Geo_Georgia Geo_Ghana Geo_Gibraltar Geo_Greece Geo_Greenland Geo_Grenada Geo_Guadeloupe Geo_Guam Geo_Guatemala Geo_Guernsey Geo_Guinea Geo_Guinea-Bissau Geo_Guyana Geo_Haiti Geo_Heard&McDonald-Is Geo_Holy-See Geo_Honduras Geo_Hong-Kong Geo_Hungary Geo_Iceland Geo_Iraq Geo_Ireland Geo_Isle-of-Man Geo_Italy Geo_Japan Geo_Jersey Geo_Jordan Geo_Kiribati Geo_Kuwait Geo_Lao-P-Dem-Rep Geo_Latvia Geo_Lebanon Geo_Lesotho Geo_Liberia Geo_Libyan-Arab-Jamahiriya Geo_Liechtenstein Geo_Lithuania Geo_Luxembourg Geo_Macao Geo_Macedonia Geo_Madagascar Geo_Malawi Geo_Maldives Geo_Mali Geo_Malta Geo_Marshall-Is Geo_Martinique Geo_Mauritania Geo_Mauritius Geo_Mayotte Geo_Micronesia Geo_Moldova-Rep Geo_Monaco Geo_Mongolia Geo_Montenegro Geo_Montserrat Geo_Mozambique Geo_Myanmar Geo_N-Mariana-Is Geo_Namibia Geo_Nauru Geo_Nepal Geo_Netherlands-Antilles Geo_New-Caledonia Geo_Niger Geo_Niue Geo_Norfolk-Is Geo_Norway Geo_Oman Geo_Palau Geo_Palestinian-Ter Geo_Panama Geo_Papua-New-Guinea Geo_Paraguay Geo_Peru Geo_Pitcairn Geo_Portugal Geo_Qatar Geo_Reunion Geo_Rwanda Geo_S-Georgia&S-Sandwich-Is Geo_S-Sudan Geo_Samoa Geo_San-Marino Geo_Sao-Tome&Principe Geo_Senegal Geo_Serbia Geo_Sierra-Leone Geo_Sint-Maarten Geo_Slovakia Geo_Solomon-Is Geo_Somalia Geo_Spain Geo_Sri-Lanka Geo_St-Bartelemey Geo_St-Helena Geo_St-Kitts&Nevis Geo_St-Lucia Geo_St-Martin Geo_St-Pierre&Miquelon Geo_St-Vincent&Grenadines Geo_Suriname Geo_Svalbard&Jan-Mayen Geo_Swaziland Geo_Sweden Geo_Switzerland Geo_Syrian-Arab-Rep Geo_Tajikistan Geo_Tanzania-Un-Rep-of Geo_Timor-Leste Geo_Togo Geo_Tokelau Geo_Tonga Geo_Turkmenistan Geo_Turks&Caicos-Is Geo_Tuvalu Geo_USA Geo_USA-Minor-Is Geo_Uganda Geo_Un-Arab-Emirates Geo_Un-Kingdom Geo_Uruguay Geo_Uzbekistan Geo_Vanuatu Geo_Virgin-Is-British Geo_Virgin-Is-U.S. Geo_Wallis&Futuna Geo_Western-Sahara Geo_Yemen Geo_Zambia
Got it! Fortinet removed the "EU" and "AP" country codes so any geo object referencing these two country codes will cause the issue.
Hi
We also have this issue and have 3 objects using both "EU and "AP". I can remove 2 of them but one of them is buried in a group and in use. I seldom use the CLI- given that's the only way we can edit "Addresses" currently- so does anyone know the command to edit a group via the CLI to remove an object? Thanks in advance.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1558 | |
1033 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.