Created on 06-27-2019 02:10 AM Edited on 05-26-2022 02:06 PM By Anonymous
Description
This article describes how to fix FortiManager Copy Failed issue with Invalid extintf for Dynamic VIP.
FortiManager has a different behaviour towards Dynamic VIP in the new versions. When defining VIPs in the old versions, the external interface setting only appears in the per-device settings, not in the global settings. The newer versions have an external interface on both global settings and per-device settings. After importing a device, some VIP become Dynamic VIP. When pushing an existing policy to a new FortiGate, it may sometimes cause the error (errcode)-2 – firewall vip x.x.x.x: invalid extintf without special interface shown.
Fixing the issue involves checking the Dynamic VIP, checking the match between the global settings and the per-device settings, and disabling the per-device mapping.
Solution
1) Pushing a policy in FortiManager causes 'copy failed' and '(errcode)-2 – firewall vip x.x.x.x: invalid extintf'.
2) Use exec fmpolicy print-adom-object to check the match between global settings and per-device mapping:
exec fmpolicy print-adom-object 133 173 vip4
Dump object [vip4] of category [firewall vip] in adom [FGT5-2]:
---------------
config firewall vip
edit "vip4"
set uuid c258bea4-97b3-51e9-07f4-74a9dbb8c420
set extip 10.56.240.153
set mappedip "10.173.0.153"
config dynamic_mapping
edit "Skywalker-kvm68"-"root"
set extintf "any"
set extip 10.56.240.153
set mappedip 10.173.0.153
set uuid ac721886-97b5-51e9-61ff-0e8275cbc020
3) Disable the per-device mapping.
exec fmpolicy print-adom-object 133 173 vip4
Dump object [vip3] of category [firewall vip] in adom [FGT5-2]:
---------------
config firewall vip
edit "vip4"
set uuid b89b3266-97b3-51e9-bf1a-e771d09ad58a
set extip 10.56.240.153
set extintf "any"
set mappedip "10.173.0.153"
4) Policy push succeeds.
Disabling per-device mapping fixes the issue.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.