Dynamic address in a policy
You can use a dynamic address in a policy just like any other address object. Dynamic addresses have a different icon to show that they are a Fabric connector address.
The CLI commands to configure the same policy are as follows:
config firewall policy
edit 0
set name "outgoing1"
set srcintf "port2"
set dstintf "port1"
set srcaddr "azure-client"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
set capture-packet enable
set nat enable
next
end
Result
By using the FortiGate Fabric connector for Azure, the configuration of the FortiGate’s policies does not depend on the IP addresses of the resources connecting to it. You could move the entire environment to a new Azure location on a different continent with different public IP addresses, even for internal resources. After the move, no reconfiguration needs to take place. Everything works just as it did before the move.