DescriptionThis article provides some troubleshooting steps to use if some firewall policies are thought to be missing after a firmware upgrade from FortiOS 5.2.x to 5.4.
SolutionCheck the configuration backup file in FortiOS 5.2.x and verify if firewall policies refer to address groups containing wildcard FQDN objects.
FortiOS 5.2.x accepted wildcard FQDN objects as destination addresses for firewall policies. FortiOS 5.4 no longer accepts this configuration.
In the web interface, the error message "Some changes failed to save" would be observed.
In the CLI, the following message would be observed:
entry not found in datasource
value parse error before ''
Command fail. Return code -3
Because of the above operation, some firewall policies referring to address groups containing wildcard FQDN objects or referring to just wildcard FQDN objects encounter those errors during configuration after upgrade and are no longer present in the FortiGate configuration after upgrade.
Wildcard FQDN objects are intended for configuring SSL exemptions in SSL deep inspection profiles and are not recommended for matching traffic in firewall policies.