PCNSE
NSE
StrongSwan
Solved! Go to Solution.
Andy Bailey wrote:I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).
Hey,
I don't have that problem - works fine for me since Beta 3.
Can you run the following on a Command Line, while you try to modify a policy:
diag deb reset
diag deb ena
diag deb cli 8
... and post the output
Br,
Roman
romanr wrote:Andy Bailey wrote:I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).
Can you run the following on a Command Line, while you try to modify a policy:
diag deb reset
diag deb ena
diag deb cli 8
... and post the output
In addition, please enable "diag debug app httpsd -1" and include that output.
Andy Bailey wrote:I've attached the output your requested Roman and Jordan. Thanks for your help.
Nothing really obvious for me. I tried opening the policy and then clicking ok (no changes) and again (no changes) same result both times. I tried Edge instread of Firefox too- no changes there either.
The key lines seem to be:-
[httpsd 9510 - 1522869450 error] cmdb_commit_from_json[1426] -- error saving request object to CLI (-651) [httpsd 9510 - 1522869450 error] _api_cmdb_v2_config[1137] -- error editing object (nret=-651) [httpsd 9510 - 1522869450 error] api_return_http_result[516] -- API error -651 raised
Interestingly I can delete policies- I just tried deleting a couple of unused policies and that worked fine (highlighted from the "IPv4 Policy" list and then just delete.
Any other ideas?
Hi Andy, we've tried with several FGTs and were unable to reproduce your issue. Looks like it's specific to your config after upgrade. From your CLI debug output, the CLI is rejecting the change (any policy edit save) from the GUI.
0: config firewall policy 0: edit 15 0: set ssl-ssh-profile "SSL Certs-Block Untrusted\\Invalid" -651: end
Here are a few other things to try:
1. Can you use the CLI to edit a policy? You can use the above commands to see further error reported by the CLI
2. Can you use the GUI to create new Policy? if not, please also include CLI and httpsd debug message
3. Does this happen to any policy edit via the GUI? 4. Can you check if your interfaces are correctly upgraded?
5. Which FGT model are you using? if possible, can you share your full config with us? you can email me the config at thuynh@fortinet.com
Tri
X-HUB (root) # diag ip router bgp show
BGP debugging status:
BGP debugging is on
BGP nsm debugging is on
BGP events debugging is on
BGP keepalives debugging is on
BGP updates debugging is on
BGP fsm debugging is on
BGP filter debugging is on
BGP Route Flap Dampening debugging is on
BGP debug level: INFO
X-HUB (root) # exec router clear bgp all
BGP: 169.254.255.2-Outgoing [FSM] State: Idle Event: 35
X-HUB (root) # BGP: 169.254.255.6-Outgoing [FSM] State: Idle Event: 35
BGP: 172.23.255.1-Outgoing [FSM] State: Active Event: 35
BGP: 172.23.255.32-Outgoing [FSM] State: Active Event: 35
BGP: 172.23.255.1-Outgoing [FSM] State: Idle Event: 3
BGP: 172.23.255.1-Outgoing [NETWORK] FD=24, Sock Status: 113-No route to host
BGP: 172.23.255.1-Outgoing [FSM] State: Connect Event: 18
BGP: [RIB] Scanning BGP Network Routes...
BGP: NSM Message Header
BGP: VR ID: 4
BGP: VRF ID: 0
BGP: Message type: IPv4 Route (31)
BGP: Message length: 44
BGP: Message ID: 0x000001c3
BGP: NSM IPv4 route add
BGP: Flags: 1
BGP: Route: 10.30.1.0/24
BGP: Type: 2
BGP: Metric: 0
BGP: Distance: 0
BGP: Nexthop: 0.0.0.0 ifindex 10
BGP: [RIB] Scanning BGP RIB...
BGP: 172.23.255.32-Outgoing [FSM] State: Idle Event: 3
BGP: 169.254.255.6-Outgoing [FSM] State: Idle Event: 3
BGP: 169.254.255.2-Outgoing [FSM] State: Idle Event: 3
BGP: 172.23.255.32-Outgoing [NETWORK] FD=24, Sock Status: 113-No route to host
BGP: 172.23.255.32-Outgoing [FSM] State: Connect Event: 18
BGP: [RIB] Scanning BGP Network Routes...
BGP: NSM Message Header
BGP: VR ID: 4
BGP: VRF ID: 0
BGP: Message type: IPv4 Route (31)
BGP: Message length: 44
BGP: Message ID: 0x000001c4
BGP: NSM IPv4 route add
BGP: Flags: 1
BGP: Route: 10.30.1.0/24
BGP: Type: 2
BGP: Metric: 0
BGP: Distance: 0
BGP: Nexthop: 0.0.0.0 ifindex 10
X-HUB (root) # get router info routing-table all
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via 200.200.1.254, port6
S 10.6.255.2/32 [10/0] via 10.6.255.62, port5
C 10.6.255.48/28 is directly connected, port5
S 10.30.0.0/16 [10/0] via 10.30.1.100, port8
R 10.30.0.0/24 [120/2] via 10.30.1.100, port8, 01:40:20
C 10.30.1.0/24 is directly connected, port8
C 169.254.255.0/30 is directly connected, root-INETv40
C 169.254.255.1/32 is directly connected, root-INETv40
C 169.254.255.4/30 is directly connected, root-MPLS0
C 169.254.255.5/32 is directly connected, root-MPLS0
C 200.200.1.0/24 is directly connected, port6
X-HUB (root) #
:(
Hi SEI,
I am trying to reproduce your issues in lab. But firstly, I want to make sure what the diagram is. For issues #1~5, is there only a 1200D-HA a-a in the middle, or traffic goes to 1200DHA first, then 500E as well? Or 500E first then 1200D? If latter two cases, any type of tunnels are used between 1200D-HA and 500E?
As to "finally we found the FGT1200D is actively closing connections!", any diagnostics you did that can share to us? e.g. captures of 'diag sniffer', or session table and other debug msgs and so on.
Thanks
Hello kurtli_FTNT
please find attached the diagram.
All 3 Branches connecting with their WAN Ports over "Private Ethernet" 1GBit/s lines to dedicated Ports on the Edge 1200D Cluster (no Tunnels, Encryption,... involved).
Unfortunately I can not provide you with any diagnostics/debugs - as I mentioned, nothing pointed to the FortiGate's.
Finally, since our UPS's are connected to the network, their connection drops (port-closures) was easy to analyze. As they connect to the monitoring Server in another VLAN we just had to "bypass" the FGT and the problem disappeared.
(That is also the reason why we did not open a ticket - we can not reproduce as we downgraded to 5.6.3 and have no diagnostics to provide)
Thank YOU
Hi SEI,
Thanks. I think I can simplify it to 'branch----500E-----1200HA----Internet'. I will get back to you once I get the results.
Regards
Hi ghorchem,
Regarding "When I did the upgrade from 5.6.2 SSL VPN host check failed using the latest web browsers", I suppose you were using the host check with webmode,right? Since build0060, when 'skip-check-for-unsupport-browser' is enabled, FGT doesn't do the host check for browsers anymore. This change only applies to webmode, not tunnel mode.
Regards
Yes, like I said before, this feature is now for tunnel mode only. For web-mode, due to the phasing out of Java support on modern browsers, disable it then no browsers will be allowed while enable it means all browsers can pass thru.
Hi Storaid,
Thanks for your findings. Regarding below "1. can not add additional MACs for device object"
---This is a known issue and we already have a bug to track it. "2. device type: Windows Device"
---This usually depends on how much/what kind of traffic is sent out from client. The more traffic is sent out, the better FGT can recognize. On my ENV, I can see the windows 10 can be recognized well in "OS" by surfing youtube and yahoo in a couple of minutes.
===
category 6 'Windows Device' src quic id 29 gen 13 type 17 'Windows PC' src quic id 29 gen 13 os 'Windows 10 / 2016' version '' src quic id 29
===
Hi rkhair,
When the "web Rating overrides" is not working, what the inspection-mode you're using? flow or proxy? If it's flow, can you try to use proxy, see if it works.
Regards
Hi,
I,m having web rating overrides not working in Proxy mode, didn't test flow mode.
Best regards,
Stephane
kurtli_FTNT wrote:Hi rkhair,
When the "web Rating overrides" is not working, what the inspection-mode you're using? flow or proxy? If it's flow, can you try to use proxy, see if it works.
Regards
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.