Nested group object not present on FortiGate when configured through FortiManager

I encountered a problem with a firewall blocking traffic even though it was supposed to let traffic through.
This particular policy used nested object grouping (Main group > Sub-group > NetworkAdr-member).
The odd thing was, it seemed to only affect one vDom.

What was happening:
The traffic did not match the configured policy and was dropped by policy 0 (implicit deny).


  • Configuration is done through FortiManager.
  • vDoms are used.
  • After diag debug and everything confirmed it was indeed dropped in policy, I finally dived into the object itself on the particular firewall.
    There I saw the NetworkAdr-member was not present in the Sub-group object.

    Upon closer inspection of the Sub-group object in FortiManager, I noticed the “Per Device Mapping” was turned on. It was within this mapping, the NetworkAdr-member object was missing.

    Hopefully this post will fast track the troubleshooting for individuals encountering the similar problems.

    5.00 avg. rating (99% score) - 1 vote

    Leave a Reply

    Your email address will not be published. Required fields are marked *