Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

Dynamic Policy - Fabric Devices

A new dynamic address group is added in 6.2, which represents the configured IP addresses of all Fortinet devices connected to the Security Fabric. In this first phase, it includes FortiManager, FortiAnalyzer, FortiClient EMS, FortiMail, FortiAP(s), and FortiSwitch(es). Like other dynamic address groups for fabric connectors, this can be used in IPv4 policies and objects.

Firewall address now includes a new default address object called FABRIC_DEVICE, and you can apply the address object to the following types of policies:

  • IPv4 firewall policy (including virtual wire pairs)
  • IPv4 shaping policy
  • IPv4 ACL policy
  • Policy64 and Policy46 (IPv4 only)
  • Consolidated policy (IPv4 only)

You cannot apply the FABRIC_DEVICE object to the following types of policies:

  • All IPv6 policies
  • IPv4 explicit proxy policy

You also cannot use the FABRIC_DEVICE object with the following settings:

  • Custom/extension internet-service
  • Exclusion of addrgrp

Initially the FABRIC_DEVICE object, does not have an address value. The address value is populated dynamically as things change. As a result, you cannot edit the FABRIC_DEVICE object, add any addresses to the object, or remove any addresses from the object.

The address values of the FABRIC_DEVICE object are populated based on:

  • FortiAnalyzer IP (from the Fabric Settings pane)
  • FortiManager IP (from the Fabric Settings pane)
  • FortiMail IP (from the Fabric Settings pane)
  • FortiClient EMS IP (from the Fabric Settings pane)
  • FortiAP IPs (from the FortiAP Setup pane or DHCP)
  • FortiSwitch IPs (from the FortiSwitch Setup page or DHCP)

Example of the FABRIC_DEVICE object applied in an IPv4 policy:

Example of the FABRIC_DEVICE object in the Edit Address pane. The pane includes only a Return button because the object is read-only:

Example of the FABRIC_DEVICE object applied in an IPv4 policy:

FGT-300D_A (root) # show fu firewall address FABRIC_DEVICE

config firewall address

edit "FABRIC_DEVICE"

set type ipmask

set comment "IPv4 addresses of Fabric Devices."

set visibility enable

set associated-interface ''

set color 0

set allow-routing disable

set subnet 0.0.0.0 0.0.0.0

next

end

FGT-300D_A (root) #

FGT-300D_A (root) # show firewall policy

config firewall policy

edit 1

set uuid cbe9e74c-37c6-51e9-9cf1-9510b503f2bf

set srcintf "port2"

set dstintf "port1"

set srcaddr "all"

set dstaddr "FABRIC_DEVICE"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set fsso disable

set nat enable

next

end

FGT-300D_A (root) #

Example of the diagnose command, which is used to list what IP addresses are included in FABRIC_DEVICE. For now, this is only method to list content in the FABRIC_DEVICE object:

FGT-300D_A (root) # diagnose firewall iprope list 100004

policy index=1 uuid_idx=25 action=accept

flag (8050108): redir nat master use_src pol_stats

flag2 (4000): resolve_sso

flag3 (20):

schedule(always)

cos_fwd=255  cos_rev=255

group=00100004 av=00004e20 au=00000000 split=00000000

host=0 chk_client_info=0x0 app_list=0 ips_view=0

misc=0 dd_type=0 dd_mode=0

zone(1): 10 -> zone(1): 9

source(1): 0.0.0.0-255.255.255.255, uuid_idx=3,

dest(5): 172.18.64.48-172.18.64.48, uuid_idx=1, 172.18.60.25-172.18.60.25, uuid_idx=1, 172.18.52.154-172.18.52.154, uuid_idx=1, 172.18.28.31-172.18.28.31, uuid_idx=1, 172.18.62.6-172.18.62.6, uuid_idx=1,

service(1):

[0:0x0:0/(0,65535)->(0,65535)] helper:auto

FGT-300D_A (root) #

Dynamic Policy - Fabric Devices

A new dynamic address group is added in 6.2, which represents the configured IP addresses of all Fortinet devices connected to the Security Fabric. In this first phase, it includes FortiManager, FortiAnalyzer, FortiClient EMS, FortiMail, FortiAP(s), and FortiSwitch(es). Like other dynamic address groups for fabric connectors, this can be used in IPv4 policies and objects.

Firewall address now includes a new default address object called FABRIC_DEVICE, and you can apply the address object to the following types of policies:

  • IPv4 firewall policy (including virtual wire pairs)
  • IPv4 shaping policy
  • IPv4 ACL policy
  • Policy64 and Policy46 (IPv4 only)
  • Consolidated policy (IPv4 only)

You cannot apply the FABRIC_DEVICE object to the following types of policies:

  • All IPv6 policies
  • IPv4 explicit proxy policy

You also cannot use the FABRIC_DEVICE object with the following settings:

  • Custom/extension internet-service
  • Exclusion of addrgrp

Initially the FABRIC_DEVICE object, does not have an address value. The address value is populated dynamically as things change. As a result, you cannot edit the FABRIC_DEVICE object, add any addresses to the object, or remove any addresses from the object.

The address values of the FABRIC_DEVICE object are populated based on:

  • FortiAnalyzer IP (from the Fabric Settings pane)
  • FortiManager IP (from the Fabric Settings pane)
  • FortiMail IP (from the Fabric Settings pane)
  • FortiClient EMS IP (from the Fabric Settings pane)
  • FortiAP IPs (from the FortiAP Setup pane or DHCP)
  • FortiSwitch IPs (from the FortiSwitch Setup page or DHCP)

Example of the FABRIC_DEVICE object applied in an IPv4 policy:

Example of the FABRIC_DEVICE object in the Edit Address pane. The pane includes only a Return button because the object is read-only:

Example of the FABRIC_DEVICE object applied in an IPv4 policy:

FGT-300D_A (root) # show fu firewall address FABRIC_DEVICE

config firewall address

edit "FABRIC_DEVICE"

set type ipmask

set comment "IPv4 addresses of Fabric Devices."

set visibility enable

set associated-interface ''

set color 0

set allow-routing disable

set subnet 0.0.0.0 0.0.0.0

next

end

FGT-300D_A (root) #

FGT-300D_A (root) # show firewall policy

config firewall policy

edit 1

set uuid cbe9e74c-37c6-51e9-9cf1-9510b503f2bf

set srcintf "port2"

set dstintf "port1"

set srcaddr "all"

set dstaddr "FABRIC_DEVICE"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set fsso disable

set nat enable

next

end

FGT-300D_A (root) #

Example of the diagnose command, which is used to list what IP addresses are included in FABRIC_DEVICE. For now, this is only method to list content in the FABRIC_DEVICE object:

FGT-300D_A (root) # diagnose firewall iprope list 100004

policy index=1 uuid_idx=25 action=accept

flag (8050108): redir nat master use_src pol_stats

flag2 (4000): resolve_sso

flag3 (20):

schedule(always)

cos_fwd=255  cos_rev=255

group=00100004 av=00004e20 au=00000000 split=00000000

host=0 chk_client_info=0x0 app_list=0 ips_view=0

misc=0 dd_type=0 dd_mode=0

zone(1): 10 -> zone(1): 9

source(1): 0.0.0.0-255.255.255.255, uuid_idx=3,

dest(5): 172.18.64.48-172.18.64.48, uuid_idx=1, 172.18.60.25-172.18.60.25, uuid_idx=1, 172.18.52.154-172.18.52.154, uuid_idx=1, 172.18.28.31-172.18.28.31, uuid_idx=1, 172.18.62.6-172.18.62.6, uuid_idx=1,

service(1):

[0:0x0:0/(0,65535)->(0,65535)] helper:auto

FGT-300D_A (root) #