- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Failed import configuration to FortiManager
Hello,
I am starting to learn with FortiManager and when initially importing an existing FortiGate I get the following error:
Retriving configuration file from FGT...
Configuration file import succeeded.
Reloading configuration file...
Error: Configuration reload error.
---------------------------------
Failure info:
SELECT "##oid" FROM objcfg_fw_sched_onetime WHERE "##parent"=3 AND ("name"=? OR "name"=?);
no such table: objcfg_fw_sched_group
SELECT "##oid" FROM objcfg_fw_sched_group WHERE "##parent"=3 AND ("name"=? OR "name"=?);
no such table: objcfg_fw_sched_onetime
SELECT "##oid" FROM objcfg_fw_sched_onetime WHERE "##parent"=3 AND ("name"=? OR "name"=?);
no such table: objcfg_fw_sched_group
SELECT "##oid" FROM objcfg_fw_sched_group WHERE "##parent"=3 AND ("name"=? OR "name"=?);
no such table: objcfg_fw_sched_onetime
SELECT "##oid" FROM objcfg_fw_sched_onetime WHERE "##parent"=3 AND ("name"=? OR "name"=?);
>command(set firewall local-in-policy.1:intf SD-WAN-Inet) detail(datasrc invalid. object: firewall local-in-policy intf 1. detail: SD-WAN-Inet. solution: data not exist)> add reference fail: command(set firewall local-in-policy.1:intf SD-WAN-Inet) detail(datasrc invalid. object: firewall local-in-policy intf 1. detail: SD-WAN-Inet. solution: data not exist)cdb_parse_file: runtime error 131: datasrc invalid. object: firewall local-in-policy.1:intf. detail: SD-WAN-Inet. solution: data not exist
---------------------------------
It seems that the problem is caused by two rules in the local-in Policy that I have as geo-ip for IPsec tunnels:
config firewall local-in-policy
edit 1
set intf "SD-WAN-Inet"
set srcaddr "ipsec-geo-vpn"
set dstaddr "all"
set action accept
set service "IKE" "ESP"
set schedule "always"
next
edit 2
set intf "SD-WAN-Inet"
set srcaddr "all"
set dstaddr "all"
set service "IKE" "ESP"
set schedule "always"
next
end
How to get out of this?
Thank you.
Jirka
- Labels:
-
FortiManager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Jirka1 ,
Interesting, I've never seen the outputs of Retrieve with SQL statements.
Anyway:
1) What is the FMG firmware version?
2) What is the FGT firmware version?
3) Since you are running Retrieve, this FGT is in the Device Manager already, right?
4) If yes, did you do anything to FGT before running Retrieve, such as an upgrade?
5) If ADOM is enabled, what is the ADOM version?
Jerry
Created on ‎03-14-2025 12:59 AM Edited on ‎03-14-2025 01:09 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dingjerry_FTNT ,
this was the output from trying to add FGT to FMG via CLI on FMG.
1) What is the FMG firmware version? - 7.6.2 VM with trial licence
2) What is the FGT firmware version? - 7.4.7, 2x200F A-A
3) Since you are running Retrieve, this FGT is in the Device Manager already, right? - no, this was retrieve when adding FGT (Discovery) to FMG
4) If yes, did you do anything to FGT before running Retrieve, such as an upgrade? - no, this was first time retrieve
5) If ADOM is enabled, what is the ADOM version? - ADOM enabled, version 7.4, backup mode
Jirka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Jirka1 ,
Please change the ADOM mode to Normal for a try.
You can't add a new device while the ADOM is in Backup mode.
Jerry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You said "trying to add FGT to FMG via CLI", how about using FMG GUI adding the FGT?
Jerry
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course that I tried this several times from the GUI and here on the forum I found instructions on how to do it via the CLI to see what the problem is.
Jirka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what it looks like when I try to add FGT using the GUI
Jirka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And for fun - if I delete the two problematic local-in-policy on FGT:
config firewall local-in-policy
edit 1
set intf "SD-WAN-Inet"
set srcaddr "ipsec-geo-vpn"
set dstaddr "all"
set action accept
set service "IKE" "ESP"
set schedule "always"
next
edit 2
set intf "SD-WAN-Inet"
set srcaddr "all"
set dstaddr "all"
set service "IKE" "ESP"
set schedule "always"
next
end
adding FGT will go through without any problems. It is clear that the problem is caused by the int "SD-WAN-Inet" (which is a classic sd-wan with one physical interface "x1")
Jirka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Jirka1 ,
Found one existing FMG bug for this issue:
1110780 - Resolved In 7.4.7, 7.6.3
This bug is also in the "Known issues" section of the FMG 7.6.2 GA Release Notes doc.
Jerry
