Description
This article describes how to verify and troubleshoot what objects are referenced to a system object on an interface or a VDOM.
Solution
FortiOS uses a structured, tree-like, syntax and object location definition, for example the path for a Firewall Address Object will be :- Firewall/Address/<name>.
The CLI Syntax to enter this name (or context) is the following:
# config firewall address <name>
Objects, once created within FortiOS can be referenced and thus be used in other areas such as a Firewall Policy or an Address-Group.
For example in the below screenshot, firewall addresses are configured in Policy&Objects -> Addresses, and the FortiAuthenticator object named 'FAC' has a 'Ref' number next to it, however, the firewall object 'ipsec_subnet' does not.
This is because the object 'FAC' is linked to another 5 objects within the system, in this instance 'FAC' is the object added to several Firewall Policies as shown below:
When using FortiOS there will be instances and real cases whereby the object dependencies will prevent from deleting an object as it is already a dependency within the FortiOS system.
Here are two such examples:
1) To change from Switch to Interface‐mode, but FortiOS always terminates with an 'object in use' error without changing the mode.
This is because there are dependencies on the switched 'internal' Interface.
Normally this will be a DHCP‐Server, a static route, and the DNS Forwarder, however, there may be more dependencies depending on the configuration file within FortiOS.
This object dependency is found in the default configuration for a FortiGate 60F and other products that use Switch to Interface Mode.
2) If it is necessary to delete an unused Address‐Object, but it is not possible to delete it. In the GUI the reference number is not visible next to the object, and on the CLI an error that the 'Object is in use' is received and cannot be deleted.
Here below are the commands to use to identify an object that has a dependency in the case where delete or modify the object.
How to verify the object dependency for a system interface on the CLI:
The main CLI command to identify object dependencies on a given interface within FortiOS is the following:
# diag sys cmdb refcnt show <object path>
This command, once the <object path> is specified, will return the following output when entered on the CLI:
FortiGate60E # diag sys cmdb refcnt show
<path.object.mkey> Table.
FortiGate60E # diag sys cmdb refcnt show system.interface.name wan2
entry used by child table members:seq-num '2' of complex system.sdwan:members.interface
entry used by table firewall.sniffer:id '1'
entry used by child table interface:interface-name 'wan2' of complex system.acme:interface.interface-name
In the above example, the system interface 'wan2' has been used for the firewall sniffer, ACME settings, and for SD-WAN setup, which are current object dependencies to this system interface.
How to verify an object dependency for a firewall.address
FortiGate60E # diag sys cmdb refcnt show firewall.address:name all
entry used by child table source-address:name 'all' of complex vpn.ssl.settings:source-address.name
entry used by child table dst:name 'all' of table service:id '1' of complex system.sdwan:service.dst.name
entry used by child table srcaddr:name 'all' of table firewall.policy:policyid '10'
entry used by child table srcaddr:name 'all' of table firewall.policy:policyid '25'
entry used by child table srcaddr:name 'all' of table firewall.policy:policyid '20'
entry used by child table srcaddr:name 'all' of table firewall.policy:policyid '2'
entry used by child table srcaddr:name 'all' of table firewall.policy:policyid '23'
entry used by child table srcaddr:name 'all' of table firewall.policy:policyid '13'
entry used by child table srcaddr:name 'all' of table firewall.policy:policyid '12'
This output shows that the Address Object 'all' is being used as the source address in several firewall policies.
How to identify a potential object with a dependency:
It is also possible to be even more generic when running this command.
To find out the general possible dependencies for a certain object it is possible to leave the object name empty. This will show the potential objects that could have a dependency:
FortiGate60E # diag sys cmdb refcnt show firewall.address:name
may used by table firewall.addrgrp.member.name
may used by table vpn.ssl.web.portal.widget.ip-pools.name
may used by table vpn.ssl.web.portal.widget.split-tunneling-routing-address.name
may used by table vpn.ssl.settings.tunnel-ip-pools.name
may used by table vpn.ipsec.phase2.src-name
may used by table vpn.ipsec.phase2.dst-name
may used by table vpn.ipsec.phase1-interface.ipv4-split-include
may used by table vpn.ipsec.phase2-interface.src-name
may used by table vpn.ipsec.phase2-interface.dst-name
may used by table firewall.policy.srcaddr.name
may used by table firewall.policy.dstaddr.name
may used by table firewall.interface-policy.srcaddr.name
may used by table firewall.interface-policy.dstaddr.name
may used by table firewall.sniff-interface-policy.srcaddr.name
may used by table firewall.sniff-interface-policy.dstaddr.name
How to identify an Object Name:
Use the '# get' command to know what the object name might be:
FortiGate60E # get firewall address
== [ all ]
name: all
== [ SSLVPN_TUNNEL_ADDR1 ]
name: SSLVPN_TUNNEL_ADDR1
== [ 10.10.1.4 ]
name: 10.10.1.4
== [ 10.10.1.3 ]
name: 10.10.1.3
== [ 10.0.0.3/24 ]
name: 10.0.0.3/24
Common Objects to lookup:
# diag sys cmdb refcnt show system.interface.name <interface name> (**1)
# diag sys cmdb refcnt show firewall.address:name <address name> (**2)
# diag sys cmdb refcnt show firewall.profile: <profile name>
# diag sys cmdb refcnt show firewall.service.group:name <servicegroup name>
(**1) <interface name> can be Physical or Virtual Interfaces such as VLAN, Switch‐Group, 802.3ad.
(**2) <address name> can be written within single/double or without quotes.
Separator Tags:
Usually the separator of the 'name' Tag of the key is displayed using ':'
Example:
# diag sys cmdb refcnt show system.interface.name wan1
Result:
Entry used by table firewall.address:name 'all'.
Virtual Domains – VDOM:
In VDOM Environments all the above-mentioned commands can only be used in the global configuration context.
