Fortinet white logo
Fortinet white logo

Administration Guide

Dynamic policy — Fabric devices

Dynamic policy — Fabric devices

The dynamic address group represents the configured IP addresses of all Fortinet devices connected to the Security Fabric. It currently includes FortiManager, FortiAnalyzer, FortiClient EMS, FortiMail, FortiAP(s), and FortiSwitch(es). Like other dynamic address groups for fabric connectors, it can be used as an IPv4 address in firewall policies and objects.

The list of firewall addresses includes a default address object called FABRIC_DEVICE. You can apply the FABRIC_DEVICE object to the following types of policies:

  • Firewall policy, including virtual wire pairs, NAT 46, and NAT 64 (IPv4 only)

  • IPv4 shaping policy

  • IPv4 ACL policy

  • Security policy (NGFW mode)

You cannot apply the FABRIC_DEVICE object to the following types of policies:

  • IPv4 explicit proxy policy

You also cannot use the FABRIC_DEVICE object with the following settings:

  • Custom extension on internet-service

  • Exclusion of addrgrp

Initially the FABRIC_DEVICE object does not have an address value. The address value is populated dynamically as things change. As a result, you cannot edit the FABRIC_DEVICE object, add any addresses to the object, or remove any addresses from the object. The Edit Address pane in the GUI only has a Return button because the object is read-only:

The FABRIC_DEVICE object address values are populated based on:

  • FortiAnalyzer IP (from the Fabric Settings pane)

  • FortiManager IP (from the Fabric Settings pane)

  • FortiMail IP (from the Fabric Settings pane)

  • FortiClient EMS IP (from the Fabric Settings pane)

  • FortiAP IPs (from the FortiAP Setup pane or DHCP)

  • FortiSwitch IPs (from the FortiSwitch Setup page or DHCP)

To apply the FABRIC_DEVICE object to a firewall policy using the GUI:
  1. Go to Policy & Objects > Firewall Policy.

  2. Create a new policy or edit an existing policy.

  3. For the Destination field, select FABRIC_DEVICE from the list of address entries.

  4. Configure the rest of the policy as needed.

  5. Click OK.

To apply the FABRIC_DEVICE object to a firewall policy using the CLI:
config firewall address
    edit "FABRIC_DEVICE"
        set type ipmask
        set comment "IPv4 addresses of Fabric Devices."
        set visibility enable
        set associated-interface ''
        set color 0
        set allow-routing disable
        set subnet 0.0.0.0 0.0.0.0
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "FABRIC_DEVICE"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
        set nat enable
    next
end

Diagnose commands

You can run diagnose commands to list IP addresses of Fortinet devices that are configured in the Security Fabric or used in a security policy.

To view the IP addresses of Fabric devices:
(root) # diagnose firewall sf-addresses list
 
FabricDevices: 172.18.64.48
FortiAnalyzer: 172.18.60.25
FortiSandbox: 172.18.52.154
FortiManager: 172.18.28.31
FortiClientEMS: 172.18.62.6
FortiAP:
FortiSwitch:
FortiAP/SW-DHCP:
To view which IP addresses are used in a security policy:
(root) # diagnose ips pme fabric-address list
VDOM 0:
- builtin [mask=0x1e]:
  - type=4: 172.18.62.213
  - type=4: 172.18.62.219
  - type=2: 172.18.70.82
- query:
  - 168.254.1.2
  - 0.0.0.0
  - 168.254.1.2

Dynamic policy — Fabric devices

Dynamic policy — Fabric devices

The dynamic address group represents the configured IP addresses of all Fortinet devices connected to the Security Fabric. It currently includes FortiManager, FortiAnalyzer, FortiClient EMS, FortiMail, FortiAP(s), and FortiSwitch(es). Like other dynamic address groups for fabric connectors, it can be used as an IPv4 address in firewall policies and objects.

The list of firewall addresses includes a default address object called FABRIC_DEVICE. You can apply the FABRIC_DEVICE object to the following types of policies:

  • Firewall policy, including virtual wire pairs, NAT 46, and NAT 64 (IPv4 only)

  • IPv4 shaping policy

  • IPv4 ACL policy

  • Security policy (NGFW mode)

You cannot apply the FABRIC_DEVICE object to the following types of policies:

  • IPv4 explicit proxy policy

You also cannot use the FABRIC_DEVICE object with the following settings:

  • Custom extension on internet-service

  • Exclusion of addrgrp

Initially the FABRIC_DEVICE object does not have an address value. The address value is populated dynamically as things change. As a result, you cannot edit the FABRIC_DEVICE object, add any addresses to the object, or remove any addresses from the object. The Edit Address pane in the GUI only has a Return button because the object is read-only:

The FABRIC_DEVICE object address values are populated based on:

  • FortiAnalyzer IP (from the Fabric Settings pane)

  • FortiManager IP (from the Fabric Settings pane)

  • FortiMail IP (from the Fabric Settings pane)

  • FortiClient EMS IP (from the Fabric Settings pane)

  • FortiAP IPs (from the FortiAP Setup pane or DHCP)

  • FortiSwitch IPs (from the FortiSwitch Setup page or DHCP)

To apply the FABRIC_DEVICE object to a firewall policy using the GUI:
  1. Go to Policy & Objects > Firewall Policy.

  2. Create a new policy or edit an existing policy.

  3. For the Destination field, select FABRIC_DEVICE from the list of address entries.

  4. Configure the rest of the policy as needed.

  5. Click OK.

To apply the FABRIC_DEVICE object to a firewall policy using the CLI:
config firewall address
    edit "FABRIC_DEVICE"
        set type ipmask
        set comment "IPv4 addresses of Fabric Devices."
        set visibility enable
        set associated-interface ''
        set color 0
        set allow-routing disable
        set subnet 0.0.0.0 0.0.0.0
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "FABRIC_DEVICE"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
        set nat enable
    next
end

Diagnose commands

You can run diagnose commands to list IP addresses of Fortinet devices that are configured in the Security Fabric or used in a security policy.

To view the IP addresses of Fabric devices:
(root) # diagnose firewall sf-addresses list
 
FabricDevices: 172.18.64.48
FortiAnalyzer: 172.18.60.25
FortiSandbox: 172.18.52.154
FortiManager: 172.18.28.31
FortiClientEMS: 172.18.62.6
FortiAP:
FortiSwitch:
FortiAP/SW-DHCP:
To view which IP addresses are used in a security policy:
(root) # diagnose ips pme fabric-address list
VDOM 0:
- builtin [mask=0x1e]:
  - type=4: 172.18.62.213
  - type=4: 172.18.62.219
  - type=2: 172.18.70.82
- query:
  - 168.254.1.2
  - 0.0.0.0
  - 168.254.1.2