| Description |
This article describes how to fix an issue with FortiGates in FIPS-CC mode where firewall policies with ID 5 or 6 cannot be deleted. |
| Scope |
FortiOS v6.4 FIPS-CC and above (after upgrading from FortiOS 6.2). |
| Solution |
On FortiGates running FortiOS FIPS-CC versions, firewall policies with an ID of 5 or 6 may become static table entries and therefore become impossible to delete. This is due to a bug that occurs when upgrading from FortiOS v6.2 to FortiOS v6.4 while FIPS-CC mode is enabled.
This behavior will persist through future FortiOS upgrades (i.e. upgrading from 6.2 to 6.4, then again to 7.0), though it is important to note that it is only triggered if the starting firmware was on FortiOS 6.2. If the FIPS-enabled FortiGate is freshly configured on FortiOS 6.4 or later, subsequent upgrades will not trigger this issue. When attempting to delete a policy affected by this bug, the following GUI error will be displayed:
To verify if this issue is present, attempt to delete the policy in the CLI. The following error will appear if the issue is occurring:
However, other policies (for example, policy ID 7) can be deleted successfully as they are not affected by this bug.
In order to delete firewall policies 5 or 6, the FortiGate configuration file must be downloaded to remove the policy manually. Refer to this article for instructions on downloading the configuration file.
Once downloaded, open the configuration file in a text editor and browse to the ‘config firewall policy’ section. Once here, delete the section of text corresponding to policies 5 and/or 6:
Save the changes after deleting the block of text for the policy, then restore the config file to the FortiGate. Note that a full system configuration restore will require a reboot. After the edited configuration is loaded onto the FortiGate, firewall policy ID 5 and 6 can be freely used for normal policies in the future and can be deleted normally. |
