Description
This article explains the reason for FortiManager to fail in script execution in the Device Database.
Scope
FortiManager.
Solution
In FortiManager, the script is applied to ease the configuration for multiple devices. However, there are some limitations on the FortiManager script to avoid invalid or sensitive configurations being made on the Device Database directly.
If the configuration is prohibited in the FortiManager Device Database, the error message below will appear:
[line 5] > set fmg-source-ip [parameter(s) invalid. object: fmg-source-ip. detail: not allow to change]
Failed to commit to DB, reason([line 5] > set fmg-source-ip [parameter(s) invalid. object: fmg-source-ip. detail: not allow to change]
)
In this case, the user needs to execute the script at 'Remote FortiGate Directly (via CLI)'.
The list below provides the list of configurations prohibited from being made on the FortiManager Device Database:
notinstall {
"certificate ca last-updated";
"certificate crl last-updated";
"certificate local last-updated";
"dpdk cpus";
"dpdk global";
"endpoint-control fctems capabilities";
"endpoint-control fctems serial-number";
"firewall address list";
"log tap-device";
"switch-controller managed-switch ports port-owner";
"switch-controller traffic-policy id";
"switch-controller vlan";
"system central-management fmg";
"system central-management fmg-source-ip";
"system central-management fmg-source-ip6";
"system central-management serial-number";
"system central-management type";
"system central-management vdom";
"system fortiguard service-account-id";
"system global http-request-limit";
"system global http-unauthenticated-request-limit";
"system ha chassis-id";
"system storage";
"user group guest";
"user quarantine targets macs entry-id";
"vpn certificate ca last-updated";
"vpn certificate crl last-updated";
"vpn certificate local last-updated";
"webfilter override initiator";
};
Notes:
The list may changed or updated from time to time. Users may open a FortiCare ticket to check with TAC engineers.
