In FortiOS 6.2.1, the device detection-related labels have been modified. This affects control parts, such as device-based firewall policies, captive portals, and access lists. The device discovery system uses new tagging and types.
- When you create a firewall policy, the Device option is no longer available in the Source and Destination entry lists. The available options are: Address, User, and Internet Service.
- In the User & Device menu, the Custom Devices & Groups option is no longer available.
Custom devices and device groups can now be configured as MAC addresses.
- Go to Policy & Objects > Addresses.
- Click Create New.
- Select Address or Address Group.
- For Type, select Device (MAC Address).
- Configure the other fields as needed.
- Click OK.
The following CLI commands have been removed:
config user device
config user device-access-list
config user device-category
config user device-group
config firewall policy edit 1 set devices next end
config firewall policy6 edit 1 set devices next end
The device discovery system now uses the following tags and types:
- Hardware vendor
- Hardware version
- Software OS
- Software version
As a result, the user device list diagnostic command output has changed:
(root) # diag user device list hosts vd root/0 00:08:e3:ed:35:16 gen 12 req OUS/16 created 2178s gen 11 seen 17s port1 gen 6 ip 172.16.200.253 src cdp hardware vendor 'Cisco' src cdp id 60 type 'Networking' src cdp id 60 family 'Catalyst' src cdp id 60 os 'IOS' src cdp id 60 hardware version 'C2950' src cdp id 60 software version '12.1(12c)EA1' src cdp id 60 host 'SW8' src cdp
All custom devices and device groups not being used in a firewall policy prior to upgrading will not be retained after upgrading.
In certain circumstances, custom devices and device groups can be upgraded.
config firewall policy edit 1 set name "p1" set uuid 6eaeef92-7db1-51e9-4b73-6701d7749026 set srcintf "port2" set dstintf "port1" set srcaddr "_upg_devgrp_grp1" set dstaddr "all" set action accept set schedule "always" set service "ALL" set fsso disable set nat enable next end
config firewall addrgrp edit "_upg_devgrp_grp1" set uuid 97274902-8887-51e9-ca99-732d3cb9adbe set member "_upg_dev_dev1@00:08:e3:ed:35:16" set visibility disable next end
config firewall address edit "_upg_dev_dev1@00:08:e3:ed:35:16" set uuid 97274b64-8887-51e9-7a02-2efee81068cb set type mac set start-mac 00:08:e3:ed:35:16 set end-mac 00:08:e3:ed:35:16 set visibility disable next end