Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

Created on ‎03-13-2025 03:09 PM

Failed import configuration to FortiManager

Hello,

I am starting to learn with FortiManager and when initially importing an existing FortiGate I get the following error:

 

Retriving configuration file from FGT...
Configuration file import succeeded.
Reloading configuration file...
Error: Configuration reload error.
---------------------------------
Failure info:
SELECT "##oid" FROM objcfg_fw_sched_onetime WHERE "##parent"=3 AND ("name"=? OR "name"=?);
no such table: objcfg_fw_sched_group
SELECT "##oid" FROM objcfg_fw_sched_group WHERE "##parent"=3 AND ("name"=? OR "name"=?);
no such table: objcfg_fw_sched_onetime
SELECT "##oid" FROM objcfg_fw_sched_onetime WHERE "##parent"=3 AND ("name"=? OR "name"=?);
no such table: objcfg_fw_sched_group
SELECT "##oid" FROM objcfg_fw_sched_group WHERE "##parent"=3 AND ("name"=? OR "name"=?);
no such table: objcfg_fw_sched_onetime
SELECT "##oid" FROM objcfg_fw_sched_onetime WHERE "##parent"=3 AND ("name"=? OR "name"=?);
>command(set firewall local-in-policy.1:intf SD-WAN-Inet) detail(datasrc invalid. object: firewall local-in-policy intf 1. detail: SD-WAN-Inet. solution: data not exist)> add reference fail: command(set firewall local-in-policy.1:intf SD-WAN-Inet) detail(datasrc invalid. object: firewall local-in-policy intf 1. detail: SD-WAN-Inet. solution: data not exist)cdb_parse_file: runtime error 131: datasrc invalid. object: firewall local-in-policy.1:intf. detail: SD-WAN-Inet. solution: data not exist
---------------------------------

 

It seems that the problem is caused by two rules in the local-in Policy that I have as geo-ip for IPsec tunnels:

config firewall local-in-policy
    edit 1
        set intf "SD-WAN-Inet"
        set srcaddr "ipsec-geo-vpn"
        set dstaddr "all"
        set action accept
        set service "IKE" "ESP"
        set schedule "always"
    next
    edit 2
        set intf "SD-WAN-Inet"
        set srcaddr "all"
        set dstaddr "all"
        set service "IKE" "ESP"
        set schedule "always"
    next
end

 

How to get out of this?

Thank you.

Jirka

Labels:
209
0 Kudos
9 REPLIES 9
dingjerry_FTNT
Staff
Staff

Created on ‎03-13-2025 07:44 PM

Hi @Jirka1 ,

 

Interesting, I've never seen the outputs of Retrieve with SQL statements.

 

Anyway:

1) What is the FMG firmware version?

2) What is the FGT firmware version?

3) Since you are running Retrieve, this FGT is in the Device Manager already, right?

4) If yes, did you do anything to FGT before running Retrieve, such as an upgrade?

5) If ADOM is enabled, what is the ADOM version?

Regards,

Jerry
182
Jirka1
Contributor III
In response to dingjerry_FTNT

Created on ‎03-14-2025 12:59 AM Edited on ‎03-14-2025 01:09 AM

Hi @dingjerry_FTNT ,

this was the output from trying to add FGT to FMG via CLI on FMG.

 

1) What is the FMG firmware version? - 7.6.2 VM with trial licence

2) What is the FGT firmware version? - 7.4.7, 2x200F A-A

3) Since you are running Retrieve, this FGT is in the Device Manager already, right? - no, this was retrieve when adding FGT (Discovery) to FMG

4) If yes, did you do anything to FGT before running Retrieve, such as an upgrade? -  no, this was first time retrieve

5) If ADOM is enabled, what is the ADOM version? - ADOM enabled, version 7.4, backup mode

 

Jirka

163
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to Jirka1

Created on ‎03-14-2025 08:07 AM

Hi @Jirka1 ,

 

Please change the ADOM mode to Normal for a try.

 

You can't add a new device while the ADOM is in Backup mode.

Regards,

Jerry
136
Jirka1
Contributor III
In response to dingjerry_FTNT

Created on ‎03-14-2025 08:38 AM

Hello @dingjerry_FTNT ,

 

I tried this too and it ends up with the same error…

 

Jirka

124
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to Jirka1

Created on ‎03-14-2025 09:24 AM

You said "trying to add FGT to FMG via CLI", how about using FMG GUI adding the FGT?

Regards,

Jerry
113
0 Kudos
Jirka1
Contributor III
In response to dingjerry_FTNT

Created on ‎03-14-2025 09:46 AM

Of course that I tried this several times from the GUI and here on the forum I found instructions on how to do it via the CLI to see what the problem is.

 

Jirka

106
0 Kudos
Jirka1
Contributor III
In response to dingjerry_FTNT

Created on ‎03-14-2025 02:50 PM

 

This is what it looks like when I try to add FGT using the GUI

 

Jirka

 

image.png

68
0 Kudos
Jirka1
Contributor III
In response to Jirka1

Created on ‎03-14-2025 03:04 PM

And for fun - if I delete the two problematic local-in-policy on FGT:

config firewall local-in-policy
    edit 1
        set intf "SD-WAN-Inet"
        set srcaddr "ipsec-geo-vpn"
        set dstaddr "all"
        set action accept
        set service "IKE" "ESP"
        set schedule "always"
    next
    edit 2
        set intf "SD-WAN-Inet"
        set srcaddr "all"
        set dstaddr "all"
        set service "IKE" "ESP"
        set schedule "always"
    next
end

 

adding FGT will go through without any problems. It is clear that the problem is caused by the int "SD-WAN-Inet" (which is a classic sd-wan with one physical interface "x1")

image.png

 

Jirka

61
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to Jirka1

Created on ‎03-14-2025 05:20 PM

Hi @Jirka1 ,

 

Found one existing FMG bug for this issue:

 

1110780 - Resolved In 7.4.7, 7.6.3

 

This bug is also in the "Known issues" section of the FMG 7.6.2 GA Release Notes doc.

 

Regards,

Jerry
33
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.