Failed to map

[RyanInsolencee]

im connected to my fortigates and when running the exporter it will shoot out a bunch of 'Warning: Failed to map "" to policy config - this should not happen" even when the probe is successful .what does this mean? and also i notice some missing ports that arent showing up as they are configured as hardware switch on my fortigate, will they not show up?

[bluecmd]

Please paste the full log

[alessskeno]

I have also faced with this issue. Container log:

2024/02/02 18:53:23 Loaded 1 API keys 2024/02/02 18:53:23 Fortigate exporter running, listening on ":9710" 2024/02/02 18:53:54 Error: Response code was 403, expected 200 (path: "api/v2/monitor/system/resource/usage") 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 18:53:57 Warning: Failed to map "" to policy config - this should not happen 2024/02/02 20:00:28 Probe of "https://10.100.70.1" failed, took 2.979 seconds

Note: I am running exporter with insecure option

[Laudatore]

Hi,

Did you by any chance have an answer concerning : Warning: Failed to map "" to policy config - this should not happen ? I also succeed in getting the metrics without errors but the log is spammed with Warning: Failed to map "" to policy config - this should not happen. Do you have any idea what i did wrong ? Thx a lot.

[fulopbencus]

Warning: Failed to map "" to policy config - this should not happen Warning: Failed to map "" to policy config - this should not happen Warning: Failed to map "" to policy config - this should not happen Warning: Failed to map "" to policy config - this should not happen Warning: Failed to map "" to policy config - this should not happen Warning: Failed to map "" to policy config - this should not happen Warning: Failed to map "" to policy config - this should not happen Warning: Failed to map "" to policy config - this should not happen Warning: Failed to map "" to policy config - this should not happen Error: Response code was 424, expected 200 (path: "api/v2/monitor/log/fortianalyzer") Error: Response code was 404, expected 200 (path: "api/v2/monitor/switch-controller/managed-switch") Probe of "https://xxxxxxxxxxxxxx" failed, took 0.322 seconds

It's also providing metrics despite failed mapping. Maybe the key is to fiddle around with the included probes.

[denngie]

https://github.com/bluecmd/fortigate_exporter/blob/2aaf029b74e85b2c78464255e6741e623aa29223/pkg/probe/firewall_policy.go#L143 That must be the line triggering this message. After a little research in my own lab I think it is due to fw rule(s) being disabled. When I explore the metrics I can see all my active fw rules by name but my disabled rule is missing and I see a \ instead

EDIT: still getting the error after enabling my rule. I have 12 rules and I see this message 12 times per probe. All policies generates this log messages?

[Laudatore]

I checked, and i got 34 "this should not happen" messages for about 1000 rules.

[denngie]

I checked, and i got 34 "this should not happen" messages for about 1000 rules.

How many or your rules have both IPv4 and IPv6? I've done some additional testing and I stop seeing this error if I throw in IPv6 address objects in my policies

[denngie]

Each policy containing only IPv4 objects is listed in the IPv6 query but without the necessary fields for ID, UUID, name etc https://192.168.0.1/api/v2/monitor/firewall/policy/select?vdom=*&ip_version=ipv6:

[
  {
    "http_method":"GET",
    "results":[
      {
        "policyid":13,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":11,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":10,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":1,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":2,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":3,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":4,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":5,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":6,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":8,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":9,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":12,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      },
      {
        "policyid":0,
        "active_sessions":0,
        "bytes":0,
        "packets":0,
        "software_bytes":0,
        "software_packets":0,
        "asic_bytes":0,
        "asic_packets":0
      }
    ],
    "vdom":"root",
    "path":"firewall",
    "name":"policy",
    "action":"select",
    "status":"success",
    "serial":"myserial",
    "version":"v7.4.3",
    "build":2573
  }
]

[Laudatore]

Hello, thanks for the api url. So i see exactly what you have shown . So now i need to talk with Network admin to see how we disable IPv6. I'll get back to you when done and tell you if i stop seeing the warning logs for exporter. Thank you.

[denngie]

My temporary fix for now is to comment out (double slash) these lines: https://github.com/bluecmd/fortigate_exporter/blob/2aaf029b74e85b2c78464255e6741e623aa29223/pkg/probe/firewall_policy.go#L165-L169 That way it doesn't even try to parse IPv6 statistics

[denngie]

disabled rules do produce this error message as well..