Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dbeitler
New Contributor III

Created on ‎01-15-2025 09:59 AM Edited on ‎01-15-2025 10:20 AM

why does fortimanger require name resoluton when creating a subnet address

Looked at the admin guide, and the example it shows, is www.google.com (As a subnet object???)

Need to add a simple subnet object like "192.168.0.0/16".  Is this possible?

I have many address objects of type Subnet, that were created in a FortiGate before FortiManager came along. 

 

When trying to add in FortiManager, It clears the subnet address I try to add within IP/Netmask and then says "Invalid IP address"

Does FortiManager have a different concept of a subnet address object than the FortiGate does?

I know I can add an IP range (probably), but that means I have to go through and edit "all" of the exiting definitions.

 

In the FortiGate, when adding a subnet object, I can name it something like "sn-bob" and it does (or at least did not previously) require that it resolve to anything.

 

I'm hoping that I am missing something stupid.

 

Labels:
648
0 Kudos
1 Solution
dingjerry_FTNT
Staff
Staff
In response to dbeitler

Created on ‎01-15-2025 11:17 AM

Thank you, @dbeitler .

 

I can reproduce this issue in my lab FMG 7.2.8.

 

And I have found an existing Mantis for this issue:  1069285 This bug is for FMG 7.2 train only.

 

The fix is included in FMG 7.2.10 or later.

Regards,

Jerry

View solution in original post

582
15 REPLIES 15
dingjerry_FTNT
Staff
Staff

Created on ‎01-15-2025 10:20 AM

Hi @dbeitler ,

 

1) Please provide the link of the admin guide you are talking about the example with "www.google.com";

2) There is no subnet object such thing.  I guess you are talking about address objects with subnet type. If so, "www.google.com" must be the name of the address object with the type of "subnet":

 

dingjerry_FTNT_0-1736964954990.png

If so, you may use anything you want for the name.   But I would admit that it is not a good example to use "www.google.com" as the name for the "192.168.0.0/16" subnet.

 

3)  "Invalid IP address"

Can you provide a screenshot at least?

4) "Does FortiManager have a different concept of a subnet address object than the FortiGate does?"

FMG does follow the same concepts with FortiOS, otherwise, it will be causing a major issue to the FortiGate.

 

5) "In the FortiGate, when adding a subnet object, I can name it something like "sn-bob" and it does (or at least did not previously) require that it resolve to anything."

 

Again, there is no so-called subnet object. If you are talking about the Subnet type of an address object, no, we do not require it to be resolved to anything.   

 

Please provide a screenshot as well.

Regards,

Jerry
374
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎01-15-2025 10:21 AM Edited on ‎01-15-2025 10:23 AM

We will resolve the FQDN only.

 

dingjerry_FTNT_0-1736965365077.png

For example, the above screenshot shows an address object with FQDN type.

 

it will resolve "docs.google.com", not "www.google.com".

Regards,

Jerry
370
0 Kudos
dbeitler
New Contributor III

Created on ‎01-15-2025 10:25 AM

subnet.png

and yes, I am referring to address objects of type subnet.

368
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to dbeitler

Created on ‎01-15-2025 10:32 AM

Hi @dbeitler ,

 

1) Where did you capture the screenshot?  FGT or FMG?

2) The "resolve from name" does not mean you HAVE TO resolve the name.  It is a convenient way for you to get the value of the IP if the name is resolvable. Like the floating tips said, the name must be valid FODN.

Once it is resolved, absolutely you can modify it as needed. And of course you can still keep it, but at least you have to add a network mask.

Regards,

Jerry
360
0 Kudos
dbeitler
New Contributor III

Created on ‎01-15-2025 10:28 AM

This was in Policy & Objects, Object Configurations , Firewall Objects, Addresses, Create New, Address

When I tab out of the IP/Netmask section, it clears it, and proclaims "Invalid address"

365
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to dbeitler

Created on ‎01-15-2025 10:34 AM

Hi @dbeitler ,

 

What is the firmware version of your FMG?  And it is still better to provide a screenshot.

Regards,

Jerry
356
0 Kudos
dbeitler
New Contributor III

Created on ‎01-15-2025 10:32 AM

Does the same if I edit an existing one.  If I tweak the IP/Netmask field, then tab out. Same result.

360
0 Kudos
dbeitler
New Contributor III
In response to dbeitler

Created on ‎01-15-2025 10:36 AM

haha.  I knew it was something simple.

If I add a subnet in IP/Netmask, then with the mouse, go to another section, comments for example, it retains what I enter.

If I add a subnet in IP/Netmask, then tab down, it passes by and apparently auto-selects "Resolve from name"

Is that a bug, or a feature?

352
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to dbeitler

Created on ‎01-15-2025 10:42 AM

Hi @dbeitler ,

 

"If I add a subnet in IP/Netmask, then tab down, it passes by and apparently auto-selects "Resolve from name" "

 

I am a little bit confused by this.  Do you mean:

 

1) You entered the value for the IP/Netmask field

2) You pressed the "Tab" key, and the focus would move to "Resolve from name"

 

If so, this is programming stuff. If you keep pressing Tab, the focus will move to Comment later.

 

If the above is not your case, please provide more info, like the steps I described. 

Regards,

Jerry
346
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.