Cannot apply default webfilter-profile to external Firewall policy, no error

cschmidt-leolabs · ‎12-05-2024

Cannot apply default webfilter-profile to external Firewall policy. It fails with no error and I am not sure what I am doing wrong or how to correct this problem. I am following the guide below while using FortiManager Cloud:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-deep-inspection-and-import-a...

I can apply the below settings:

application-list - default

av-profile - default

ips-sensor - default

ssl-ssh-profile - deep-inspection

However, when I configure:

webfilter-profile - default

The policy fails to apply with no error, see log below:

Starting log (Run on device)

Start installing

testsr-fortigate $ config firewall policy

testsr-fortigate (policy) $ edit 8

testsr-fortigate (8) $ set ssl-ssh-profile "deep-inspection"

testsr-fortigate (8) $ set webfilter-profile "default"

testsr-fortigate (8) $ next

testsr-fortigate (policy) $ end

---> generating verification report

(vdom root: firewall policy 8:webfilter-profile)

remote original:

to be installed: "default"

<--- done generating verification report

------- Start to retry --------

testsr-fortigate $ config firewall policy

testsr-fortigate (policy) $ edit 8

testsr-fortigate (8) $ set webfilter-profile "default"

testsr-fortigate (8) $ next

testsr-fortigate (policy) $ end

---> generating verification report

(vdom root: firewall policy 8:webfilter-profile)

remote original:

to be installed: "default"

<--- done generating verification report

install failed

cschmidt-leolabs · ‎12-12-2024

I solved this issue by configuring my firewall policy via the FortiManager Policy Package and deploying to the Fortigate that way.

View solution in original post

sjoshi · ‎12-05-2024

Hi,

Verify the inspection mode on the firewall policy is flow/proxy and the feature set on the webfilter profile is flow/proxy. Make sure to have it same

Let us know if this helps.
Salon Raj Joshi

cschmidt-leolabs · ‎12-06-2024

All policies and profiles are set to Flow already

dingjerry_FTNT · ‎12-05-2024

Hi @cschmidt-leolabs ,

Also please run the following commands before push:

diag debug cli 8

diag debug enable

Once you are done with the Push on FMG, disable the debug on FGT:

diag debug disable

diag debug cli 3

Then please share the outputs for further investigation.

Regards,

Jerry

cschmidt-leolabs · ‎12-06-2024

I setup the debug messages but I'm not sure if I can see what the issue is from them...

testsr-fortigate # diag debug cli 8
Debug messages will be on for 15 minutes.

testsr-fortigate # diag debug enable

testsr-fortigate # 0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get system mgmt-csum
0: config firewall policy
0: edit 8
0: set webfilter-profile "default"
0: next
0: end
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get system mgmt-csum
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: config firewall policy
0: edit 8
0: set webfilter-profile "default"
0: next
0: end
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get system mgmt-csum
0: get sys status
-61: get system auto-scale
-61: diag sys ha checksum autoscale-cluster
-61: diag sys ha autoscale-peers
0: get system interface
0: get system interface physical
0: get hardware status
0: get mgmt-data status
0: diagnose test update info contract
0: get sys status
0: get system central-management
0: get system ip-conflict status
0: get sys status
0: get system central-management
0: get system ip-conflict status

HarshChavda · ‎12-05-2024

Hello

Can you confirm if the default web filter profile on the FortiGate and is synced with FortiManager. Also check if it's in the correct VDOM

cschmidt-leolabs · ‎12-06-2024

They look the same but I have more profiles i Fortimanager than I do on the Fortigate.

I am not using any VDOMs

cschmidt-leolabs · ‎12-12-2024

I solved this issue by configuring my firewall policy via the FortiManager Policy Package and deploying to the Fortigate that way.

Cannot apply default webfilter-profile to external Firewall policy, no error

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website