- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiAP
- FortiClient
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiExtender
- FortiEDR
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiProxy
- FortiPortal
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Fortimanager cannot install policy with VIP
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortimanager cannot install policy with VIP
When attempting to add a VIP to the configuration, FortiManager barfs on validating the policy. The status shows " Copy Failed" and the logs shows this at the end:
config firewall vip
edit <name of VIP>
set type static-nat
set extip <external ip>
set extintf " InternetZone"
set mappedip <Internal ip>
set portforward enable
set protocol tcp
set extport 4430
set mappedport 443
set ldb-method static
set max-embryonic-connections 1000
set http-multiplex disable
set http-ip-header enable
set ssl-dh-bits 1024
set ssl-min-version ssl-3.0
set ssl-max-version tls-1.1
set ssl-send-empty-frags enable
set ssl-client-session-state-type both
set ssl-client-session-state-timeout 30
set ssl-client-session-state-max 1000
set ssl-server-session-state-type both
set ssl-server-session-state-timeout 60
set ssl-server-session-state-max 100
set ssl-http-location-conversion disable
set ssl-http-match-host disable
set id 0
set arp-reply enable
set nat-source-vip disable
set gratuitous-arp-interval 0
set persistence none
set http-cookie-generation 0
set http-cookie-age 60
set http-cookie-share same-ip
set outlook-web-access disable
set https-cookie-secure disable
set ssl-mode half
set ssl-client-renegotiation allow
set color 0
set http-cookie-domain-from-host disable
set ssl-algorithm high
set ssl-pfs allow
==> invalid value
Any Ideas?
It' s FortiManager 4.0 MR3patch6
FortiGate 4.0 MR3patch10 on a FortiGate 100-D
There is no problem adding the configuration on the device itself, but once the policy is imported to the FortiManager, it will not install onto the FortiGate.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
since I did not see the full FMG db config, I am not 100% sure, but most possible reason is
the policy is using the zone interface (has multiple interface mapped in device level) and using a VIP configured with zone
this is currently not supported on FMG since VIP need to be for interface and a workaound is to use any interface VIP for zone policy
Thanks
Simon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not understand why this is not possible. I always create a zone for everything so if I later need to add another interface, I do not have to redo all the firewall policies, etc. In the fortigate, an interface can belong to a zone and you can also use the same interface for a VIP. Just change the fortimanager to let you select an interface! I dont see myself needing to use the same VIP on multiple fortigates because the IPs would be different anyway. Fortimanager is the most frustrating product I have used in a long time. 5.0.1 is a real nightmare for this as now they do not let you even mix single and multiple interfaces in a global zone. It makes copying policies, etc useless between firewalls with different interface counts. 5.0.0 at least let you map a single interface to a global zone without the single interface zone box checked but it had other issues which prevented us from using it. Now 5.0.1 fixes those issues but breaks way more basic functionality.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dent,
I was able to figure out the solution thanks to fortinet support. You must change your VIPs to use the ANY interface if the source interface is currently a fortimanager zone member. Doing this cause some issues with our LAN users accessing DMZ and internal resources using the VIP' s external IP which took me a bit to figure out. To get that to work, you have to create a firewall policy with the client zone as the source and the VIP destination as the destination zone. The destination address must be the VIP address object. Using ANY will not work.
Related Posts
Labels
-
fortigate
6,987 -
FortiClient
1,375 -
5.2
801 -
5.4
639 -
FortiManager
607 -
FortiAnalyzer
441 -
6.0
416 -
FortiAP
365 -
5.6
362 -
FortiSwitch
361 -
FortiClient EMS
285 -
FortiMail
271 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
170 -
6.4
128 -
FortiNAC
123 -
FortiGuard
111 -
IPsec
103 -
FortiGateCloud
92 -
SSL-VPN
92 -
FortiSIEM
91 -
FortiCloud Products
86 -
FortiToken
76 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
SD-WAN
43 -
Fortivoice
43 -
FortiEDR
42 -
FortiDNS
37 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
FortiAuthenticator
29 -
High Availability
28 -
VLAN
27 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
DNS
21 -
FortiConverter
21 -
BGP
19 -
FortiGate v5.2
19 -
SAML
18 -
FortiPortal
18 -
Certificate
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
16 -
FortiMonitor
14 -
Authentication
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
RADIUS
11 -
Fortigate Cloud
11 -
NAT
11 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Application control
9 -
Web profile
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
IPS signature
5 -
Packet capture
5 -
Proxy policy
5 -
FortiAP profile
5 -
Automation
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
Web rating
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
FortiDB
3 -
Intrusion prevention
3 -
Protocol option
2 -
FortiInsight
2 -
NAC policy
2 -
System settings
2 -
Users
2 -
FortiAI
2 -
VoIP profile
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
4.0MR1
1 -
TACACS
1 -
Subscription Renewal Policy
1 -
Replacement messages
1 -
FortiCWP
1 -
FortiNDR
1 -
Schedule
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
DLP sensor
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1016 | |
| 841 | |
| 493 | |
| 440 | |
| 144 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.