Add route tag address objects
A route tag (route-tag
) firewall address object can include IPv4 or IPv6 addresses associated with a BGP route tag number, and is updated dynamically with BGP routing updates. The route tag firewall address object allows for a more dynamic and flexible configuration that does not require manual intervention to dynamic routing updates. This address object can be used wherever a firewall address can be used, such as in a firewall policy, a router policy, or an SD-WAN service rule.
The Route tag field has been removed from the Priority Rule configuration page (Network > SD-WAN > SD-WAN Rules). The |
To configure and apply a route tag address object in the GUI:
-
Configure the route tag address object:
-
Go to Policy & Objects > Addresses and click Create New > Address.
-
Enter a Name, such as vd2_upg_sdwan_route_tag_44.
-
Set the Type to Route tag.
-
Enter the Route tag number, such as 44.
-
Click OK.
-
-
Add the address to a firewall policy:
-
Go to Policy & Objects > Firewall Policy.
-
Edit an existing policy or create a new one.
-
Set the Destination to vd2_upg_sdwan_route_tag_44.
-
Configure the other settings as needed.
-
Click OK.
-
-
Add the address to an SD-WAN service rule:
-
Go to Network > SD-WAN and select the SD-WAN Rules tab.
-
Edit an existing rule or create a new one.
-
In the Destination section, set the Address to vd2_upg_sdwan_route_tag_44.
-
Configure the other settings as needed.
-
Click OK.
-
To configure and apply a route tag address object in the CLI:
-
Configure the route tag address object:
config firewall address edit "vd2_upg_sdwan_route_tag_44" set type route-tag set route-tag 44 next end
-
Add the address to a firewall policy:
config firewall policy edit 3 set srcintf "any" set dstintf "any" set action accept set srcaddr "all" set dstaddr "vd2_upg_sdwan_route_tag_44" set schedule "always" set service "ALL" next end
-
Add the address to an SD-WAN service rule:
config system sdwan config service edit 1 set dst "vd2_upg_sdwan_route_tag_44" set priority-members 1 next end end
To verify the configuration:
-
After some traffic passes, verify that the route tag firewall address is associated with policy ID 3:
# diagnose firewall iprope list | grep -A 15 index=3 policy index=3 uuid_idx=754 action=accept flag (8010008): redir master pol_stats flag2 (4000): resolve_sso flag3 (100000a0): link-local best-route no-vwp schedule(always) cos_fwd=255 cos_rev=255 group=00100004 av=00004e20 au=00000000 split=00000000 host=5 chk_client_info=0x0 app_list=0 ips_view=0 misc=0 zone(1): 0 -> zone(1): 0 source(1): 0.0.0.0-255.255.255.255, uuid_idx=684, service(1): [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto route_tag(1): 44
-
Verify the list of firewall route tag addresses:
# diagnose firewall route_tag list list route tag info(vf(vd2)): route tag address, route_tag(30) vrf_num(1): vrf id(0), num(2): 11.11.11.11-11.11.11.11 100.1.1.0-100.1.1.255 route tag address, route_tag(33) vrf_num(1): vrf id(0), num(1): 33.1.1.0-33.1.1.255 route tag address, route_tag(40) vrf_num(1): vrf id(0), num(2): 11.11.11.11-11.11.11.11 100.1.1.0-100.1.1.255 route tag address, route_tag(44) vrf_num(1): vrf id(0), num(1): 33.1.1.0-33.1.1.255