Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

[Bugreport] VIPs not usable in FMG Policy Manager

This happened here in this constellation:

 

FMG v7.0.5

FGT v7.0.9

Adom FortiOS v7

 

when you create a vip in policy manager you see it in the vip section in the objects menue but it does not appear in the selection when you edit or create a policy and they to use it as destination.

 

The same does work in an adom which is FortiOS v6.4 on the same FMG.

VIPs also do work in FMG Policy Manager in a v7 adom when you create them on the FGT and then re-import the configuration from the FGT into FMG. This creates a new policy package in which you can see and use the VIP in Policies.

This also is reproducable.

 

TAC confirmed to me this is a Bug and gave it Bug ID #0869291.

TAC also confirmed to me that this was reported to be solved in prior versions butt seems to have reappeared either in 7.0 (or even 7.x?) adoms or FMG 7.0.5.

 

Just thought I let the community know...maybe someone else runs into that issue...

 

Merry Xmas

Sebastian

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
1 REPLY 1
sw2090
Honored Contributor

I can share an update on this with you:

 

TAC have found the culprit in their lab. In fact it is a bug in FMG gui.

The actual bug is that the gui used for creating a vip in fmg policy manager does not accept an empty value or "::" in the ipv6 mapping field when you create a vip.

Instead it forces you to enter a valid ipv6 address. To not create any security whoes I chose to enter ::1 (local loopback in ipv6). With the mapping set to that the vip does not appear in  Policy manager when you create or edit a policy.

However if you edit that vip and delete the content of the ipv6 mapping so it is either empty or set to "::" that indeed is aceepted and I gues the ipv6 mapping is removed (unset on cli that would be). Then the vip appears in policy manager.

This only affects v7 adoms. It works fine in v6 adoms.

I don't know why fortigate failed to implement that correctly in v7 create vip function while they did implement correctly on the edit function in v7 adom and also in FOS 7 on the FortiGate.

 

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors