This article describes how to resolve the ‘error -651: Input’ value is invalid when creating a firewall policy for an SSL VPN interface.
Scope
FortiGate.
Solution
There would be scenarios before the deployment of the firewall onsite where it is necessary to create all required policies and configure interfaces as needed.
The below example is a scenario creating an SSL VPN before deployment.
After configuring the required SSL VPN either a split-enabled portal or a split-disabled portal.
Below is the SSL VPN settings example for the current error scenario:
When creating a firewall policy, an error as below is received:
Even though it is possible to create a firewall policy in the disabled state, it is not possible to enable the firewall policy and a similar error as above will be received.
If trying to enable the firewall policy from CLI, the error can appear:
This error appears if the certificate under SSL VPN settings is missed as shown in the above picture. To avoid the error, choose at least the factory default certificate on FortiGate until getting CA signed SSL certificate. Once corrected, that will be possible to create a firewall policy.
When comparing the current image with the initial SSL VPN configuration there is a server certificate missing from image1.
In the below screenshot, it is possible to enable the firewall policy without any error.
