Dynamic policy — fabric devices
The dynamic address group represents the configured IP addresses of all Fortinet devices connected to the Security Fabric. It currently includes FortiManager, FortiAnalyzer, FortiClient EMS, FortiMail, FortiAP(s), and FortiSwitch(es). Like other dynamic address groups for fabric connectors, it can be used in IPv4 policies and objects.
The list of firewall addresses includes a default address object called FABRIC_DEVICE. You can apply the FABRIC_DEVICE object to the following types of policies:
- IPv4 firewall policy (including virtual wire pairs)
- IPv4 shaping policy
- IPv4 ACL policy
policy64andpolicy46(IPv4 only)- Consolidated policy (IPv4 only)
You cannot apply the FABRIC_DEVICE object to the following types of policies:
- All IPv6 policies
- IPv4 explicit proxy policy
You also cannot use the FABRIC_DEVICE object with the following settings:
- Custom extension on
internet-service - Exclusion of
addrgrp
Initially the FABRIC_DEVICE object does not have an address value. The address value is populated dynamically as things change. As a result, you cannot edit the FABRIC_DEVICE object, add any addresses to the object, or remove any addresses from the object. The Edit Address pane in the GUI only has a Return button because the object is read-only:
The FABRIC_DEVICE object address values are populated based on:
- FortiAnalyzer IP (from the Fabric Settings pane)
- FortiManager IP (from the Fabric Settings pane)
- FortiMail IP (from the Fabric Settings pane)
- FortiClient EMS IP (from the Fabric Settings pane)
- FortiAP IPs (from the FortiAP Setup pane or DHCP)
- FortiSwitch IPs (from the FortiSwitch Setup page or DHCP)
To apply the FABRIC_DEVICE object to an IPv4 policy using the GUI:
- Go to Policy & Objects > IPv4 Policy.
- Create a new policy or edit an existing policy.
- For the Destination field, select FABRIC_DEVICE from the list of address entries.
- Configure the rest of the policy as needed.
- Click OK.
To apply the FABRIC_DEVICE object to an IPv4 policy using the CLI:
(root) # show fu firewall address FABRIC_DEVICE
config firewall address
edit "FABRIC_DEVICE"
set type ipmask
set comment "IPv4 addresses of Fabric Devices."
set visibility enable
set associated-interface ''
set color 0
set allow-routing disable
set subnet 0.0.0.0 0.0.0.0
next
end
(root) # show firewall policy
config firewall policy
edit 1
set uuid cbe9e74c-37c6-51e9-9cf1-9510b503f2bf
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "FABRIC_DEVICE"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set fsso disable
set nat enable
next
end
Diagnose command
You can use the diagnose command to list which IP addresses are included in the FABRIC_DEVICE. This is currently the only method to list content in the FABRIC_DEVICE object.
To run the diagnose command using the CLI:
(root) # diagnose firewall iprope list 100004
policy index=1 uuid_idx=25 action=accept
flag (8050108): redir nat master use_src pol_stats
flag2 (4000): resolve_sso
flag3 (20):
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 10 -> zone(1): 9
source(1): 0.0.0.0-255.255.255.255, uuid_idx=3,
dest(5): 172.18.64.48-172.18.64.48, uuid_idx=1, 172.18.60.25-172.18.60.25, uuid_idx=1, 172.18.52.154-172.18.52.154, uuid_idx=1, 172.18.28.31-172.18.28.31, uuid_idx=1, 172.18.62.6-172.18.62.6, uuid_idx=1,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] helper:auto