This happened here in this constellation:
FMG v7.0.5
FGT v7.0.9
Adom FortiOS v7
when you create a vip in policy manager you see it in the vip section in the objects menue but it does not appear in the selection when you edit or create a policy and they to use it as destination.
The same does work in an adom which is FortiOS v6.4 on the same FMG.
VIPs also do work in FMG Policy Manager in a v7 adom when you create them on the FGT and then re-import the configuration from the FGT into FMG. This creates a new policy package in which you can see and use the VIP in Policies.
This also is reproducable.
TAC confirmed to me this is a Bug and gave it Bug ID #0869291.
TAC also confirmed to me that this was reported to be solved in prior versions butt seems to have reappeared either in 7.0 (or even 7.x?) adoms or FMG 7.0.5.
Just thought I let the community know...maybe someone else runs into that issue...
Merry Xmas
Sebastian
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I can share an update on this with you:
TAC have found the culprit in their lab. In fact it is a bug in FMG gui.
The actual bug is that the gui used for creating a vip in fmg policy manager does not accept an empty value or "::" in the ipv6 mapping field when you create a vip.
Instead it forces you to enter a valid ipv6 address. To not create any security whoes I chose to enter ::1 (local loopback in ipv6). With the mapping set to that the vip does not appear in Policy manager when you create or edit a policy.
However if you edit that vip and delete the content of the ipv6 mapping so it is either empty or set to "::" that indeed is aceepted and I gues the ipv6 mapping is removed (unset on cli that would be). Then the vip appears in policy manager.
This only affects v7 adoms. It works fine in v6 adoms.
I don't know why fortigate failed to implement that correctly in v7 create vip function while they did implement correctly on the edit function in v7 adom and also in FOS 7 on the FortiGate.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.