Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: Issue with address group nesting with FortiOS...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue with address group nesting with FortiOS 5.2
Hi there,
My firewall cluster throws me an error when i want to change members of an address group which is member of an other group (nested)
When i try to change members is get the error " entry not found"
Anyone else having this issue? or could anyone test this on an other 5.2 and 5.0.7 FG?
You can test this is as follows:
First create some test addresses:
FW02A (address) # config firewall address
FW02A (address) # edit zztest1
new entry ' zztest1' added
FW02A (zztest1) # set subnet 10.0.0.1/32
FW02A (zztest1) # next
FW02A (address) # edit zztest2
new entry ' zztest2' added
FW02A (zztest2) # set subnet 10.0.0.2/32
FW02A (zztest2) # next
FW02A (address) # edit zztest3
new entry ' zztest3' added
FW02A (zztest3) # set subnet 10.0.0.3/32
FW02A (zztest3) # next
FW02A (address) # end
Then create two address groups where the first group is a member of the second
FW02A # config firewall addrgrp
FW02A (addrgrp) # edit zztestgrp1
new entry ' zztestgrp1' added
FW02A (zztestgrp1) # set member zztest1 zztest2
FW02A (zztestgrp1) # next
FW02A (addrgrp) # edit zztestgrp2
new entry ' zztestgrp2' added
FW02A (zztestgrp2) # set member zztestgrp1
FW02A (zztestgrp2) # next
And now try to change members of the first group:
FW02A (addrgrp) # edit zztestgrp1
FW02A (zztestgrp1) # set member zztest1 zztest2 zztest3
entry not found in datasource
value parse error before ' zztest1'
Command fail. Return code -3
FW02A (zztestgrp1) # append member zztest3
entry not found in datasource
value parse error before ' zztest3'
Command fail. Return code -3
FW02A (zztestgrp1) # unselect zztest2
command parse error before ' zztest2'
Command fail. Return code -61
When you remove the first group as a member of the second group all works properly.
Hope some of you have time to test this on 5.0.7 and 5.2 setups.
- MBR-
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
27 REPLIES 27
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I ve seen that behavior also,not sure if 5.2 does the same but I will test and update you when I get chance todo so.I ' ve always hated nesting group due to stringing of dependencies it can create.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have performed some additional testing using a FG 5.0.7 and a FG 5.2 VM.
When performing the steps described in my first post i can reproduce the error on the factory default FG 5.2 VM.
The FG5.0.7 VM however is working properly.
So this seems to be another BUG in the 5.2 GA release.
I have asked Fortinet to confirm this. I' ll let you know.
Think i' m going to downgrade to 5.0.7.. (upgraded to 5.2 to fix 2 other issues :( )
- MBR -
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Confirmed the same issue MBR in VMs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortinet Support also acknowledged this issue. Hope they will come with a fix soon.
- MBR -
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Downgraded to 5.0.7 today cause this issue is keeping me from doing daily maintenance on the firewall 
So we have to wait for some patches on 5.2 to make in usable.
So we have to wait for some patches on 5.2 to make in usable.
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FWIW
I tried to use the clear command under 5.2GA and found out there' s no way to modify a nested group;
clear member
The attribute can' t be empty!
command_cli_unset:4774 clear MEMBER table oper error. ret=-56
Command fail. Return code -56
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Clear command indeed does not work.
You can use " unselect member xxx" and " append member xxx" to change members.
Documentation of Fortinet is incomplete. Does not even mention these commands.
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool, I was not aware of the unselect option and yes that fails also
FWF60D (grp-all) # show
config firewall addrgrp
edit " grp-all"
set uuid 3e14a0ec-0ecc-51e4-80b1-39b558bf83b2
set member " grp1" " grp2"
next
end
FWF60D (grp-all) # unselect " grp2"
command parse error before ' grp2'
Command fail. Return code -61
Seems like 5.2GA needs some improvements 
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Support told me this issue would be fixed in next release.
5.2.1 is released september 16th but i dont see this bug (#248808) fixed in the release notes however :(
I asked support for clarification
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
Labels
-
FortiGate
10,805 -
FortiClient
2,214 -
FortiManager
906 -
FortiAnalyzer
691 -
5.2
687 -
5.4
638 -
FortiSwitch
597 -
FortiClient EMS
585 -
FortiAP
568 -
IPsec
446 -
6.0
416 -
SSL-VPN
394 -
FortiMail
380 -
5.6
362 -
FortiNAC
299 -
FortiWeb
258 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
208 -
FortiAuthenticator
186 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
120 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
94 -
Customer Service
88 -
ZTNA
80 -
FortiProxy
79 -
Routing
79 -
SAML
78 -
BGP
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
57 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
43 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
30 -
FortiGate v5.2
28 -
Fortigate Cloud
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2727 | |
| 1416 | |
| 810 | |
| 738 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.