I have two 300C Fortigates, both running v5.2.13,build762. As of this morning I cannot access the Address objects via the web interface on either firewall. I can access other items under the Objects node, like VIPs, or services. If I try to access the Addresses screen under Policy and Objects I get the spinning progress indicator and it never goes away. Neither firewall is reporting high resource utilization. Has anyone else encountered this? I'll probably just reboot tohe one firewall that isn't mission critical, but rebooting the other one will be tricky due the business demands.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We have numerous devices of varying models (100Ds, 300Ds, 80Cs, 110Cs) demonstrating this issue. It does not seem model or firmware specific as these devices are running either v5.2.11 or v5.4.x. We have not been able to correlate any specific pattern or firmware. We manage hundreds more devices of similar model/firmware which are not experiencing the issue. We are leaning towards an a compatibility issue with Fortiguard services packs but unsure which specific one (IP reputation, AV/APP/IPS etc).
If you use geo based address objects there is a problem with the latest database. Asia Pacific was removed. Removing that from a policy and deleting it from address objects resolved our issues. Maybe there are other changes, but that was the fix while working with support for us. I was told the issues will affect 5.2 through 5.4.9, but 5.6.5 is unaffected. We are currently on 5.2.13.
- Justin
Got it! Fortinet removed the "EU" and "AP" country codes so any geo object referencing these two country codes will cause the issue.
Final word from support:
"We made a switch from a third party to our in-house GEO DB. The following were Legacy GEO IP addresses which contained no info: A1 Anonymous Proxy A2 Satellite Provider AP Asia/Pacific Region EU Europe "
- Justin
Final word from support:
"We made a switch from a third party to our in-house GEO DB. The following were Legacy GEO IP addresses which contained no info: A1 Anonymous Proxy A2 Satellite Provider AP Asia/Pacific Region EU Europe "
- Justin
Hey SquidgyPop, there isn't so much a straight up edit command that I know of if you just want to delete one item from a group. You essentially need to re-write the group members. I basically copied my member list out of the console window into Textpad, Notepad, whatever, deleted the bad address groups, and pasted it back in for the "Set Member command".
config firewall addgrp
edit "groupname"
sent member "member1" "member2" "member3" ...
end
no no, there is a command (unselect) to just delete one item from a list (>= v5.2):
config firewall addgrp
edit "groupname"
unselect geo_Europe
end
But that is only FortiOS 5.4 and greater right? I'm currently hardware locked into 5.2.
Re-read my post
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.