Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jeff_the_Network_Guy
New Contributor III

Address objects cannot be displayed

I have two 300C Fortigates, both running v5.2.13,build762.  As of this morning I cannot access the Address objects via the web interface on either firewall.  I can access other items under the Objects node, like VIPs, or services.  If I try to access the Addresses screen under Policy and Objects I get the spinning progress indicator and it never goes away.  Neither firewall is reporting high resource utilization.  Has anyone else encountered this?  I'll probably just reboot tohe one firewall that isn't mission critical, but rebooting the other one will be tricky due the business demands.

----------------(-- Jeff
----------------(-- Jeff
4 Solutions
kphed
New Contributor III

We have numerous devices of varying models (100Ds, 300Ds, 80Cs, 110Cs) demonstrating this issue.  It does not seem model or firmware specific as these devices are running either v5.2.11 or v5.4.x.  We have not been able to correlate any specific pattern or firmware.  We manage hundreds more devices of similar model/firmware which are not experiencing the issue.  We are leaning towards an a compatibility issue with Fortiguard services packs but unsure which specific one (IP reputation, AV/APP/IPS etc).

View solution in original post

jmalhenzie
New Contributor II

If you use geo based address objects there is a problem with the latest database. Asia Pacific was removed. Removing that from a policy and deleting it from address objects resolved our issues. Maybe there are other changes, but that was the fix while working with support for us. I was told the issues will affect 5.2 through 5.4.9, but 5.6.5 is unaffected. We are currently on 5.2.13. 

- Justin

View solution in original post

- Justin
kphed
New Contributor III

Got it!  Fortinet removed the "EU" and "AP" country codes so any geo object referencing these two country codes will cause the issue.

 

View solution in original post

jmalhenzie

Final word from support:

 

"We made a switch from a third party to our in-house GEO DB. The following were Legacy GEO IP addresses which contained no info: A1 Anonymous Proxy A2 Satellite Provider AP Asia/Pacific Region EU Europe  "

 

 

- Justin

View solution in original post

- Justin
14 REPLIES 14
jmalhenzie

Final word from support:

 

"We made a switch from a third party to our in-house GEO DB. The following were Legacy GEO IP addresses which contained no info: A1 Anonymous Proxy A2 Satellite Provider AP Asia/Pacific Region EU Europe  "

 

 

- Justin

- Justin
Jeff_the_Network_Guy

Hey SquidgyPop, there isn't so much a straight up edit command that I know of if you just want to delete one item from a group.  You essentially need to re-write the group members.  I basically copied my member list out of the console window into Textpad, Notepad, whatever, deleted the bad address groups, and pasted it back in for the "Set Member command".

 

config firewall addgrp

edit "groupname"

sent member "member1" "member2" "member3" ...

end

 

----------------(-- Jeff
----------------(-- Jeff
ede_pfau

no no, there is a command (unselect) to just delete one item from a list (>= v5.2):

config firewall addgrp
   edit "groupname"
   unselect geo_Europe
end

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Jeff_the_Network_Guy

But that is only FortiOS 5.4 and greater right?  I'm currently hardware locked into 5.2.

----------------(-- Jeff
----------------(-- Jeff
ede_pfau

Re-read my post

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors