Description
This article describes how to fix FortiManager Copy Failed issue with Invalid extintf for Dynamic VIP.
FortiManager has a different behaviour towards Dynamic VIP in the new versions. When defining VIPs in the old versions, the external interface setting only appears in the per-device settings, not in the global settings. The newer versions have an external interface on both global settings and per-device settings. After importing a device, some VIP become Dynamic VIP. When pushing an existing policy to a new FortiGate, it may sometimes cause the error (errcode)-2 – firewall vip x.x.x.x: invalid extintf without special interface shown.
Fixing the issue involves checking the Dynamic VIP, checking the match between the global settings and the per-device settings, and disabling the per-device mapping.
Solution
1) Pushing a policy in FortiManager causes 'copy failed' and '(errcode)-2 – firewall vip x.x.x.x: invalid extintf'.
2) Use exec fmpolicy print-adom-object to check the match between global settings and per-device mapping:
exec fmpolicy print-adom-object 133 173 vip4
Dump object [vip4] of category [firewall vip] in adom [FGT5-2]:
---------------
config firewall vip
edit "vip4"
set uuid c258bea4-97b3-51e9-07f4-74a9dbb8c420
set extip 10.56.240.153
set mappedip "10.173.0.153"
config dynamic_mapping
edit "Skywalker-kvm68"-"root"
set extintf "any"
set extip 10.56.240.153
set mappedip 10.173.0.153
set uuid ac721886-97b5-51e9-61ff-0e8275cbc020
3) Disable the per-device mapping.
exec fmpolicy print-adom-object 133 173 vip4
Dump object [vip3] of category [firewall vip] in adom [FGT5-2]:
---------------
config firewall vip
edit "vip4"
set uuid b89b3266-97b3-51e9-bf1a-e771d09ad58a
set extip 10.56.240.153
set extintf "any"
set mappedip "10.173.0.153"
4) Policy push succeeds.
Disabling per-device mapping fixes the issue.
