Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aagrafi
Contributor II

Installation fails due to dnsfilter profile purge

Hello,

 

A FortiGate with VDOMs configured, was already added to an FMG for several days working fine. The FMG is operating in advanced ADOM mode. When I created a new VDOM in the FMG for this FG, I faced the following issue:

 

The VDOM was created OK, but when I tried to install a policy for the first time, the installation failed at the following command:

 

config dnsfilter profile

purge

 

giving the error message: "default can not be deleted because it is a static entry."

 

I'm totally confused and do not have a clue about what to do. I had created several VDOMs via this FMG without a problem. I don't understand why the FMG decides to purge the dnsfilter profile for this particular VDOM. I tried to delete the VDOM and reconstruct it but I got the same issue. The problem is that I don't even understand why FMG is doing that change for this VDOM and how can I stop that.

 

Has anybody an idea of possible causes of this problem and how to resolve this?

 

Thanks

 

 

1 Solution
chall_FTNT

An upgrade of the FortiManager to 5.6.5 is recommended. 

 

Background:

A change in FortiOS syntax in 5.6.5 made the default dnsfilter profile a static entry.  In FortiManager 5.6.5, the FortiManager will no longer try to purge dsnfilter profiles for FortiGates running 5.6.5 or later as a result.

 

As a workaround, you need at least 1 policy in each policy package to reference the default dnsfilter profile.

 

We are investing updates to both the FortiManager 5.6.5 release notes and the FortiManager compatibility guide.

 

 

Chris Hall
Fortinet Technical Support

View solution in original post

6 REPLIES 6
chall_FTNT
Staff
Staff

Could you identify the version of FortiManager and FortiGate? 

 

In later patches of FOS 5.6, dnsfilter profile "default" became a reserved entry.  FortiManager 5.6.5 recognizes this changes in FortiOS syntax.

Chris Hall
Fortinet Technical Support
SecurityResearch

i have the same exact problem

 

Fortigate model 900D

Fortigate Firmware 5.6.5

Fortimanager-VM Firmware 5.6.3

 

Based on compatibility chart they should be fine working with each other, however upon importing the device for first time, and assigning global header/footer, or just trying to push any policy changes, I get the error, this is the log:

Starting log (Run on device)

Start installing fwlcompany $ config vdom fwlcompany (vdom) $ edit PLANT_TEST current vf=PLANT_TEST:7 fwlcompany (PLANT_TEST) $ config dnsfilter profile fwlcompany (profile) $ purge default can not be deleted because it is a static entry. fwlcompany (profile) $ end fwlcompany (PLANT_TEST) $ end

---> generating verification report <--- done generating verification report

 

------- Start to retry --------

fwlcompany $ config vdom fwlcompany (vdom) $ edit PLANT_TEST current vf=PLANT_TEST:7 fwlcompany (PLANT_TEST) $ config dnsfilter profile fwlcompany (profile) $ purge default can not be deleted because it is a static entry. fwlcompany (profile) $ end fwlcompany (PLANT_TEST) $ end

---> generating verification report <--- done generating verification report

install failed

 

Please advise if Fortimanager upgrade is necessary or if the documentation that fortinet provided is wrong, 

chall_FTNT

An upgrade of the FortiManager to 5.6.5 is recommended. 

 

Background:

A change in FortiOS syntax in 5.6.5 made the default dnsfilter profile a static entry.  In FortiManager 5.6.5, the FortiManager will no longer try to purge dsnfilter profiles for FortiGates running 5.6.5 or later as a result.

 

As a workaround, you need at least 1 policy in each policy package to reference the default dnsfilter profile.

 

We are investing updates to both the FortiManager 5.6.5 release notes and the FortiManager compatibility guide.

 

 

Chris Hall
Fortinet Technical Support
josh

FYI this is also happening on FortiManager v6.0.1 installing to a FortiGate running FortiOS v5.6.5

 

Creating a policy referencing the dns-filter resolved the issue. It's kinda ugly having to add it in to every policy for each VDOM but it's better than not being able to get a clean install.

 

Here is the rule I created:

 


config firewall policy
edit <policy id>

 

set name "dnsfilter-fix"
set srcintf "any"
set dstintf "any"
set srcaddr "none"
set dstaddr "none"
set action accept
set schedule "always"
set service "NONE"
set utm-status enable
set logtraffic disable
set comments "This rule exists only to fix a bug with pushing policy without DNS filter - ref: https://forum.fortinet.com/tm.aspx?m=164178"
set dnsfilter-profile "default"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
next
end

 

Edit: If anyone needs it in future, this has been logged with FortiTAC as case # 2854995. This is the FortiOS v6 specific report, not the one mentioned in OPs report.

thrillseeker

Hi all,

 

Same issue with FOS 5.6.5 and FMG 5.6.3.

Does anybody know what exactly triggers this "dns-filter purge" issue?

I never used the dns-filter before...

 

Thanks for clarifiaction

Thrillseeker

chall_FTNT

thrillseeker wrote:

Does anybody know what exactly triggers this "dns-filter purge" issue?

I never used the dns-filter before...

 

FortiManager would usually be attempting to purge all DNS filters on the first install attempt.  The general logic used is that if objects are not used, FortiManager will attempt to delete them from the FortiGate.

 

So if you cannot upgrade to FMG 5.6.5 (or later, since 5.6.6 is out later this week), the workaround is to add a dummy policy which references the default DNS filter.

Chris Hall
Fortinet Technical Support
Top Kudoed Authors