Skip to main content
  1. Posts/

FortiManager ADOM upgrade fails with error "invalid value filter by"

In preparation for the rollout of a new FortiManager version at work, I had the “pleasure” to perform several ADOM upgrades. During this process I encountered a very specific error that I want to show you here as well as the solution I found.

In my case the error only occurred when I tried to upgrade the automatically created ADOM FortiFirewallCarrier from version 6.2 to 6.4. Shortly after starting the upgrade the FortiManager aborted the process with the rather unhelpful error message “Fail(errno=-2):invalid value for filter-by”. This can be seen in the following screenshot:

Error message reported by the FortiManager when the upgrade fails
Error message reported by the FortiManager when the upgrade fails

According to the “Troubleshooting ADOM Upgrade” section of the following Fortinet KB Article additional information about such an error can be gathered by executing the following debug commands before trying the upgrade again:

diagnose debug service cdb 255
diagnose debug timestamp enable 
diagnose debug enable

In my case the FortiManager provided me the following log entries:

2024-08-06 09:56:47 --> commit 2024-08-06 09:56:47 copy filter.1(soid=475) to dparent=2034, 2024-08-06 09:56:47  fail: err=-2,invalid value for filter-by
2024-08-06 09:56:47 ======= Dump sentry and dentry======
2024-08-06 09:56:47        475    --->   2035
2024-08-06 09:56:47 name:       2024-08-06 09:56:47 SSN-Sensor-Filter 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 SSN-Sensor-Filter 2024-08-06 09:56:47
2024-08-06 09:56:47 match-percentage:       2024-08-06 09:56:47 10 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 10 2024-08-06 09:56:47
2024-08-06 09:56:47 regexp:       2024-08-06 09:56:47 WebEx 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 WebEx 2024-08-06 09:56:47
2024-08-06 09:56:47 archive:       2024-08-06 09:56:47 disable 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 disable 2024-08-06 09:56:47
2024-08-06 09:56:47 action:       2024-08-06 09:56:47 allow 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 allow 2024-08-06 09:56:47
2024-08-06 09:56:47 expiry:       2024-08-06 09:56:47 5m 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 5m 2024-08-06 09:56:47
2024-08-06 09:56:47 severity:       2024-08-06 09:56:47 high 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 high 2024-08-06 09:56:47
2024-08-06 09:56:47 id:       2024-08-06 09:56:47 1 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 1 2024-08-06 09:56:47
2024-08-06 09:56:47 type:       2024-08-06 09:56:47 message 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 message 2024-08-06 09:56:47
2024-08-06 09:56:47 proto:       2024-08-06 09:56:47 smtp 2024-08-06 09:56:47 pop3 2024-08-06 09:56:47 imap 2024-08-06 09:56:47 mapi 2024-08-06 09:56:47     --->   2024-08-06 09:56:47 imap 2024-08-06 09:56:47 smtp 2024-08-06 09:56:47 pop3 2024-08-06 09:56:47 mapi 2024-08-06 09:56:47
2024-08-06 09:56:47 filter-by:       2024-08-06 09:56:47 regexp 2024-08-06 09:56:47     --->   2024-08-06 09:56:47
2024-08-06 09:56:47 ===================================
2024-08-06 09:56:47 copy filter.1(soid=475) to dparent=2034, :fail.
2024-08-06 09:56:47 copy dlp sensor.SSN-Sensor(soid=474) to dparent=1614, :fail.

As indicated by the last line the error seems to reside in a DLP sensor called SSN-Sensor. Its filter-by attribute seems to be invalid and that causes the upgrade to fail. However, I wasn’t able to determine why the attribute was faulty. I tried to fix the problem by editing the DLP sensor in the web UI but for unknown reasons the appropriate menu wasn’t displayed by the FortiManager in this specific ADOM:

The DLP menu is missing in the web UI for the FortiFirewallCarrier ADOM
The DLP menu is missing in the web UI for the FortiFirewallCarrier ADOM

Since we don’t use the FortiFirewallCarrier ADOM in our FortiManager instance and I didn’t want to spend more time on debugging I decided to resolve the problem by deleting the whole DLP sensor via the API. This can be done by executing the following API call:

{
    "id": 1,
    "method": "delete",
    "params": [
        {
            "url": "/pm/config/adom/FortiFirewallCarrier/obj/dlp/sensor/SSN-Sensor"
        }
    ],
    "session": "..."
}

Of course please be aware that you need to log in to the system and lock the ADOM before you can delete the sensor. Additionally don’t forget to save the changes afterwards. For people less experienced with the FortiManager API I collected all necessary API calls in this text file: delete_sensor_api_calls.txt. These payloads can be sent via curl or any other tool like Postman.

After deleting this sensor the ADOM upgrade was successful. I hope this article is helpful to some of you out there who may experience the same problem.

Thanks for reading and until next time. 👋