PCNSE
NSE
StrongSwan
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Andy Bailey wrote:I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).
Hey,
I don't have that problem - works fine for me since Beta 3.
Can you run the following on a Command Line, while you try to modify a policy:
diag deb reset
diag deb ena
diag deb cli 8
... and post the output
Br,
Roman
romanr wrote:Andy Bailey wrote:I've getting a "Failed to save some changes: Input value is invalid" message (showing in the attachment) when I try and modify a policy (for example add an anti-spam to an existing policy).
Can you run the following on a Command Line, while you try to modify a policy:
diag deb reset
diag deb ena
diag deb cli 8
... and post the output
In addition, please enable "diag debug app httpsd -1" and include that output.
Andy Bailey wrote:I've attached the output your requested Roman and Jordan. Thanks for your help.
Nothing really obvious for me. I tried opening the policy and then clicking ok (no changes) and again (no changes) same result both times. I tried Edge instread of Firefox too- no changes there either.
The key lines seem to be:-
[httpsd 9510 - 1522869450 error] cmdb_commit_from_json[1426] -- error saving request object to CLI (-651) [httpsd 9510 - 1522869450 error] _api_cmdb_v2_config[1137] -- error editing object (nret=-651) [httpsd 9510 - 1522869450 error] api_return_http_result[516] -- API error -651 raised
Interestingly I can delete policies- I just tried deleting a couple of unused policies and that worked fine (highlighted from the "IPv4 Policy" list and then just delete.
Any other ideas?
Hi Andy, we've tried with several FGTs and were unable to reproduce your issue. Looks like it's specific to your config after upgrade. From your CLI debug output, the CLI is rejecting the change (any policy edit save) from the GUI.
0: config firewall policy 0: edit 15 0: set ssl-ssh-profile "SSL Certs-Block Untrusted\\Invalid" -651: end
Here are a few other things to try:
1. Can you use the CLI to edit a policy? You can use the above commands to see further error reported by the CLI
2. Can you use the GUI to create new Policy? if not, please also include CLI and httpsd debug message
3. Does this happen to any policy edit via the GUI? 4. Can you check if your interfaces are correctly upgraded?
5. Which FGT model are you using? if possible, can you share your full config with us? you can email me the config at thuynh@fortinet.com
Tri
Hi Stephane,
The proxy mode works well on my ENV. What is exact version of v6?
Hi,
FortiGate-60E v6.0.0,build0076,180329 (GA)
help.netlfix.com appeared as if it was wrongly categorised on Fortiguard, at least on the cached data.
Tried to add it to web rating override without luck. I didn't had the time to troubleshoot further, such as attempting to flush cache... so the override might just not invalidate the cache?
If needed I could do some more testing and open a ticket if needed.
kurtli_FTNT wrote:Hi Stephane,
The proxy mode works well on my ENV. What is exact version of v6?
Thanks. I will reproduce in lab with the same version and target, will go back to you later.
Hi Stephane,
So first, I suppose there is a typo in your post, 'netlfix' vs 'netflix'. No website is taking response for "help.netlfix.com". Thus, the category for that is 'General Interest - Business'. If correct it with 'help.netflix.com', then the category becomes to 'Bandwidth Consuming' and sub-cate is 'streaming media and download', which makes sense.
And the rating override works well against 'help.netflix.com' on proxy-mode. I override it to 'gambling' and can see it's blocked.
1: date=2018-04-19 time=16:19:08 logid="0316013056" type="utm" subtype="webfilter" eventtype="ftgd_blk" level="warning" vd="root" eventtime=1524179948 policyid=4 sessionid=1897 srcip=10.1.100.211 srcport=57073 srcintf="port5" srcintfrole="undefined" dstip=52.38.152.174 dstport=80 dstintf="port12" dstintfrole="undefined" proto=6 service="HTTP" hostname="help.netflix.com" profile="k" action="blocked" reqtype="direct" url="/" sentbyte=80 rcvdbyte=0 direction="outgoing" msg="URL belongs to a denied category in policy" method="domain" cat=11 catdesc="Gambling" crscore=30 crlevel="high"
We do have a known issue on flow-mode and it will be fixed on the next release.
Thanks
The LDAP diag test auth ldap is working from cli-cmd but fails via the WebGui FortiOS v6.0
Who all here is seeing the same issues?
Ken
PCNSE
NSE
StrongSwan
Hello Ken,
Can you please share some more configuration details ?
Also when you do the test from GUI can you enable HTTPS debug.
To obtain debug:
1. Open Command Line Interface for FortiGate
2. Type in
diagnose debug enable
diagnose application httpsd -1
3. Conduct Test from GUI and copy the debug information
Thanks !
Farazi
emnoc wrote:The LDAP diag test auth ldap is working from cli-cmd but fails via the WebGui FortiOS v6.0
Who all here is seeing the same issues?
Ken
Confirmed SANs cert with 8k bit key does NOT working for the admin-server for the FortiOS. It was tried into 2 FGTs btw
PCNSE
NSE
StrongSwan
Hello all.
We have upgraded same Fortigates to 6.0 FortiOS and users fail to login when use LDAP. Radius authentication with windows NPS work fine and we have configured as alternative.
If I create a new user in Active Directory works fine with LDAP authentication, but existing users fail to login.
Is there any solution to this issue?
Thank you in advance.
Accionet
Did you do any diag from the cli for test authentication and with LDAP? Since you said new users, I expect something is wrong from the AD side of things.
Start with basic level diagnostics
diag test authserver ldap diag test authserver ldap-search I'm on JumpCloud and have no users auth with LDAPS and v6.0 fwiw ken
PCNSE
NSE
StrongSwan
Hello emnoc.
diag test authserver ldap
authenticate 'old_user' against 'LDAP_xxxx' succeeded!
Do not show groups, but
authenticate 'new_user' against 'LDAP_xxxx' succeeded!
Group membership(s) - CN=Mobile Users,OU=Security Groups,OU=MyBusiness,DC=xxxxxxx,DC=local
CN=Usuarios Terminal Server,CN=Users,DC=xxxxxxx,DC=local CN=Remote Web Workplace Users,OU=Security Groups,OU=MyBusiness,DC=xxxxxxx,DC=local CN=GRUPOADMINISTRACION,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=xxxxxxx,DC=local CN=AccesoSSLVPN,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=xxxxxxx,DC=local CN=Usuarios del dominio,CN=Users,DC=xxxxxxx,DC=local
Show all grups for this user.
It seems a problemm with permissions in AD. But in 5.6.3 work fine.
Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.