Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MBR
New Contributor III

Issue with address group nesting with FortiOS 5.2

Hi there, My firewall cluster throws me an error when i want to change members of an address group which is member of an other group (nested) When i try to change members is get the error " entry not found" Anyone else having this issue? or could anyone test this on an other 5.2 and 5.0.7 FG? You can test this is as follows: First create some test addresses: FW02A (address) # config firewall address FW02A (address) # edit zztest1 new entry ' zztest1' added FW02A (zztest1) # set subnet 10.0.0.1/32 FW02A (zztest1) # next FW02A (address) # edit zztest2 new entry ' zztest2' added FW02A (zztest2) # set subnet 10.0.0.2/32 FW02A (zztest2) # next FW02A (address) # edit zztest3 new entry ' zztest3' added FW02A (zztest3) # set subnet 10.0.0.3/32 FW02A (zztest3) # next FW02A (address) # end Then create two address groups where the first group is a member of the second FW02A # config firewall addrgrp FW02A (addrgrp) # edit zztestgrp1 new entry ' zztestgrp1' added FW02A (zztestgrp1) # set member zztest1 zztest2 FW02A (zztestgrp1) # next FW02A (addrgrp) # edit zztestgrp2 new entry ' zztestgrp2' added FW02A (zztestgrp2) # set member zztestgrp1 FW02A (zztestgrp2) # next And now try to change members of the first group: FW02A (addrgrp) # edit zztestgrp1 FW02A (zztestgrp1) # set member zztest1 zztest2 zztest3 entry not found in datasource value parse error before ' zztest1' Command fail. Return code -3 FW02A (zztestgrp1) # append member zztest3 entry not found in datasource value parse error before ' zztest3' Command fail. Return code -3 FW02A (zztestgrp1) # unselect zztest2 command parse error before ' zztest2' Command fail. Return code -61 When you remove the first group as a member of the second group all works properly. Hope some of you have time to test this on 5.0.7 and 5.2 setups. - MBR-

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
27 REPLIES 27
emnoc
Esteemed Contributor III

Yes I ve seen that behavior also,not sure if 5.2 does the same but I will test and update you when I get chance todo so.I ' ve always hated nesting group due to stringing of dependencies it can create.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MBR
New Contributor III

I have performed some additional testing using a FG 5.0.7 and a FG 5.2 VM. When performing the steps described in my first post i can reproduce the error on the factory default FG 5.2 VM. The FG5.0.7 VM however is working properly. So this seems to be another BUG in the 5.2 GA release. I have asked Fortinet to confirm this. I' ll let you know. Think i' m going to downgrade to 5.0.7.. (upgraded to 5.2 to fix 2 other issues :( ) - MBR -

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
Warren_Olson_FTNT

Confirmed the same issue MBR in VMs.
MBR
New Contributor III

Fortinet Support also acknowledged this issue. Hope they will come with a fix soon. - MBR -

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
MBR
New Contributor III

Downgraded to 5.0.7 today cause this issue is keeping me from doing daily maintenance on the firewall So we have to wait for some patches on 5.2 to make in usable.

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
emnoc
Esteemed Contributor III

FWIW I tried to use the clear command under 5.2GA and found out there' s no way to modify a nested group; clear member The attribute can' t be empty! command_cli_unset:4774 clear MEMBER table oper error. ret=-56 Command fail. Return code -56

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MBR
New Contributor III

Clear command indeed does not work. You can use " unselect member xxx" and " append member xxx" to change members. Documentation of Fortinet is incomplete. Does not even mention these commands.

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
emnoc
Esteemed Contributor III

Cool, I was not aware of the unselect option and yes that fails also FWF60D (grp-all) # show config firewall addrgrp edit " grp-all" set uuid 3e14a0ec-0ecc-51e4-80b1-39b558bf83b2 set member " grp1" " grp2" next end FWF60D (grp-all) # unselect " grp2" command parse error before ' grp2' Command fail. Return code -61 Seems like 5.2GA needs some improvements

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
MBR
New Contributor III

Support told me this issue would be fixed in next release. 5.2.1 is released september 16th but i dont see this bug (#248808) fixed in the release notes however :( I asked support for clarification

- MBR -

NSE1, NSE2, NSE3

FGT60D/E, FWF60D/E, FGT200D

- MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors