FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rk1
Staff
Staff
Article Id 191759
Description
This article describes how to exclude members in an address group if user is unable to commit the changes in the firewall when it is necessary to exclude specific address object.

Solution
To exclude an address object from an address group, it will not be possible to do so even though the configuration gets committed successfully.

When the address group is checked again from Policy & Objects -> Addresses -> Address Group’, notice that the exclude members option being disabled which was configured earlier.

1) This behavior is expected when the 'Static route configuration' is enabled in the address object.
It will not be possible to exclude the address object with the 'Static route configuration' being enabled.





2) The 'Static route configuration' will be disabled by default and to use the address object in the static route configuration, then enable the option, otherwise keep it disabled.
It will be possible to either use 'Static route configuration' or 'Exclude members' and unable to use both of them at the same time.

3)To exclude member using an address object, make sure the 'Static route configuration' option is disabled on the specific address object and it will be possible to use that address object in an address group’s exclude member.




Contributors