Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gbarnes619
New Contributor

Fortigate 50B not accepting dstaddr for firewall policy

Hi all, I had to resort to reaching out here as I cannot seem to determine what the problem is. I have set up a firewall object-VIP and am attempting to set up the Firewall Policy but every time I make the entry it does not have my VIP in the dstaddr field of the policy. When I attempted to do it via CLI, it errored out with: commands.c:3952 cmf_query_table_delete() error Command fail. Return code -1 The command I attempted was: config firewall policy edit 11 set dstaddr XXXXX edit 11 set srcintf " wan1" set dstintf " internal" set srcaddr " any" set dstaddr " " set action accept set schedule " always" set service " SSH" set logtraffic enable set nat enable next Can someone explain what is happening and why I can' t set the dstaddr? Thanks in advance, -Greg
17 REPLIES 17
rwpatterson
Valued Contributor III

Welcome to the forums. Make sure the interface on the VIP definition is the same as the SOURCE interface in the policy. (Been there, pulled out many a hair myself...)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Gbarnes619
New Contributor

It is the same. I even tried cloning an identical Policy and replacing the destination addr with the new one but it won' t take it. When I right click on the destination in the gui, and change it to the proper one, it says " Invalid length of value." Every single thing is the same as the identical policy. Soooooo confused.
rwpatterson
Valued Contributor III

From the CLI, please get the following:
 # show firewall policy # <policy_number>
 # show firewall vip " <VIP name here>" 
Obfuscate any IP addresses or names you don' t want public.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Gbarnes619
New Contributor

config firewall policy edit 11 set srcintf " YYYY" set dstintf " internal" set srcaddr " any" set dstaddr " " set action accept set schedule " always" set service " SSH" set logtraffic enable set nat enable next end config firewall vip edit " XYXYXYXYX" set extip XXX.XXX.XXX.XXX set extintf " YYYY" set portforward enable set mappedip XXX.XXX.XXX.XXX set extport XXXX set mappedport XX next end
rwpatterson
Valued Contributor III

One thing, the source address needs to map to the VIP, not the destination as I posted above. Below is a working config from my firewall:
config firewall vip
     edit " vIP-Web server" 
         set extintf " wan1" 
         set portforward enable
         set mappedip 192.168.39.142
         set extport 5190
         set mappedport 5190
     next
 end
 
 config firewall policy
     edit 309
         set srcintf " wan1" 
         set dstintf " dmz" 
             set srcaddr " all"              
             set dstaddr " vIP-Web server"              
         set action accept
         set schedule " always" 
             set service " AOL"              
     next
 end

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson
Valued Contributor III

From what you posted, nothing stands out. 3 more questions: 1) What firmware version is the firewall running? 2) How long (in digits) is the VIP name? 3) Are there any spaces in the VIP name? Added** Since I don' t have an outside IP mapping in my definition, is the IP address of the VIP on the subnet of the external interface?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson
Valued Contributor III

Looking at what you first posted, I don' t believe you can do the entire sequence in one pass....
config firewall policy edit 11 set dstaddr XXXXX
Try instead:
 FGT # config firewall policy
 FGT policy # edit 11
 FGT (11) # set dstaddr XXXXX
 FGT (11) # end
 FGT # end

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Gbarnes619
New Contributor

All my configs are identical to yours except it will not accept the dstaddr in my config. Talk about pulling my hair out.... And I don' t have any.
Gbarnes619
New Contributor

yeah I did it in steps as you indicated. That is when I got the initial error I posted.
Top Kudoed Authors