Starting with SD-WAN Orchestrator MEA 6.4.1.r6, all user specified, custom IP addresses in the LAN/DMZ interface must also be in an intranet IP pool. As a result, the GROUP.CUSTOM_groupname address group is no longer needed.
All subnets of LAN/DMZ must be included in a blackhole static route, and the subnet of the blackhole must not equal any subnet of LAN/DMZ. If the subnet of the blackhole equals any subnet of LAN/DMZ, the route of that interface becomes invalid. All user specified, custom IP addresses must be included in an intranet IP pool. See Creating intranet IP pools.
In SD-WAN Orchestrator MEA 6.4.1.r5 and earlier, you could create an address group named GROUP.CUSTOM_groupname for each region to contain user specified, custom IP addresses. A custom IP address is an address specified by the user in the LAN/DMZ interface. The IP address is not allocated by SD-WAN Orchestrator MEA. The custom IP address must NOT be in an IP pool, or a conflict occurs.
GROUP_ALL contains all regions' GROUP.CUSTOM_groupname address group and all address groups for IP pools, because all addresses allocated from IP pool are included in IP pool address group. As a result, GROUP_ALL contains all addresses.
It is not recommended to use GROUP.CUSTOM_groupname address group in business rules and in FortiManager policy packages, because it only contains part of the addresses of the corresponding region. It contains only user specified custom addresses of that region, and doesn't contain the addresses allocated from IP pool.
For example, we have a region named Seattle, and an intranet IP pool named pool1 with a subnet 192.168.0.0/16, a user specified custom address 18.104.22.168/24 for port4 in device with ID 1, and an address 192.168.1.0/24 for port5.
SD-WAN Orchestrator MEA 6.4.1.r5 and earlier handles the scenario as follows:
- GROUP_ALL includes address group GROUP.CUSTOM_Seattle, POOL_pool1 two address groups.
- GROUP.CUSTOM_Seattle contains DEVICE_1_port4 (with address 22.214.171.124/24).
- POOL_pool1 contains POOL_192.168.0.0_16 (with address 192.168.0.0/16).
- The address port5 doesn't need to merge in GROUP_ALL as an item, because it is included in POOL_192.168.0.0_16.
GROUP_Seattle for region Seattle is also created, and this group contains address group DEVICE_1, which includes DEVICE_1_port4 (with address 126.96.36.199/24) and DEVICE_1_port5 (with address 192.168.1.0/24).
GROUP.CUSTOM_Seattle is not recommended for use in business rules and in FortiManager policy packages; GROUP_Seattle is recommended instead.
SD-WAN Orchestrator MEA 6.4.1.r6 and later handles the scenario as follows:
- User must create an intranet IP pool for port4, for example, an intranet IP pool named pool2 with a subnet 188.8.131.52/23.
As a result, GROUP_ALL contains POOL_pool1 and POOL_pool2.
POOL_pool1 contains POOL_192.168.0.0_16 (with address 192.168.0.0/16).
POOL_pool2 contains POOL_184.108.40.206_23 (with address 220.127.116.11/23).
The GROUP.CUSTOM_Seattle is not need any more, because 18.104.22.168/24 is included in GROUP_ALL already.
The old GROUP_Seattle and its members are not changed, and you can use the group in business rules and FortiManager policy packages as before.