Add route tag address objects

A route tag (route-tag) firewall address object can include IPv4 or IPv6 addresses associated with a BGP route tag number, and is updated dynamically with BGP routing updates. The route tag firewall address object allows for a more dynamic and flexible configuration that does not require manual intervention to dynamic routing updates. This address object can be used wherever a firewall address can be used, such as in a firewall policy, a router policy, or an SD-WAN service rule.

The Route tag field has been removed from the Priority Rule configuration page (Network > SD-WAN > SD-WAN Rules). The route-tag option has been removed from the config service settings under config system sdwan.

To configure and apply a route tag address object in the GUI:

1. Configure the route tag address object:

   1. Go to Policy & Objects > Addresses and click Create New > Address.

   2. Enter a Name, such as vd2_upg_sdwan_route_tag_44.

   3. Set the Type to Route tag.

   4. Enter the Route tag number, such as 44.

      

   5. Click OK.

2. Add the address to a firewall policy:

   1. Go to Policy & Objects > Firewall Policy.

   2. Edit an existing policy or create a new one.

   3. Set the Destination to vd2_upg_sdwan_route_tag_44.

   4. Configure the other settings as needed.

   5. Click OK.

3. Add the address to an SD-WAN service rule:

   1. Go to Network > SD-WAN and select the SD-WAN Rules tab.

   2. Edit an existing rule or create a new one.

   3. In the Destination section, set the Address to vd2_upg_sdwan_route_tag_44.

   4. Configure the other settings as needed.

   5. Click OK.

To configure and apply a route tag address object in the CLI:

1. Configure the route tag address object:

   config firewall address
       edit "vd2_upg_sdwan_route_tag_44"
           set type route-tag
           set route-tag 44
       next
   end

2. Add the address to a firewall policy:

   config firewall policy
       edit 3
           set srcintf "any"
           set dstintf "any"
           set action accept
           set srcaddr "all"
           set dstaddr "vd2_upg_sdwan_route_tag_44"
           set schedule "always"
           set service "ALL"
       next
   end

3. Add the address to an SD-WAN service rule:

   config system sdwan
       config service
           edit 1
               set dst "vd2_upg_sdwan_route_tag_44"
               set priority-members 1
           next
       end
   end

To verify the configuration:

1. After some traffic passes, verify that the route tag firewall address is associated with policy ID 3:

   # diagnose firewall iprope list | grep -A 15 index=3
   policy index=3 uuid_idx=754 action=accept
   flag (8010008): redir master pol_stats
   flag2 (4000): resolve_sso
   flag3 (100000a0): link-local best-route no-vwp
   schedule(always)
   cos_fwd=255  cos_rev=255
   group=00100004 av=00004e20 au=00000000 split=00000000
   host=5 chk_client_info=0x0 app_list=0 ips_view=0
   misc=0
   zone(1): 0 -> zone(1): 0
   source(1): 0.0.0.0-255.255.255.255, uuid_idx=684,
   service(1):
           [0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto
    route_tag(1):  44

2. Verify the list of firewall route tag addresses:

   # diagnose firewall route_tag list
   list route tag info(vf(vd2)):
   route tag address, route_tag(30) vrf_num(1):
   vrf id(0), num(2): 11.11.11.11-11.11.11.11 100.1.1.0-100.1.1.255
   
   route tag address, route_tag(33) vrf_num(1):
   vrf id(0), num(1): 33.1.1.0-33.1.1.255
   
   route tag address, route_tag(40) vrf_num(1):
   vrf id(0), num(2): 11.11.11.11-11.11.11.11 100.1.1.0-100.1.1.255
   
   route tag address, route_tag(44) vrf_num(1):
   vrf id(0), num(1): 33.1.1.0-33.1.1.255