Fortinet black logo

Administration Guide

Map a dynamic ADOM object

Map a dynamic ADOM object

The devices and VDOMs to which a global object is mapped can also be viewed from the object list. You can add an object to groups and enable dynamic mapping. These options are not available for all objects.

When the Dynamic Mapping option is available, select Create New to configure the dynamic mapping.

To configure a dynamic mapping via a CLI script, the configuration for the mapping must be defined in the dynamic object under the config dynamic_mapping sub-tree. The CLI script must be run on a policy package instead of the device database. For information on running CLI scripts, see Scripts

note icon

Default mapping is only used when there is no per-device mapping for a particular device. You must have either a per-device mapping or a default mapping in a policy package. Otherwise, the policy package installation will fail.

When you import a policy package, a per-device mapping is usually added when the object is already used by a FortiGate.

Examples:

Example 1: Dynamic VIP

config firewall vip

edit "vip1"

config dynamic_mapping

edit "FW60CA3911000089"-"root"

set extintf "any"

set extip 172.18.26.100

set mappedip 192.168.3.100

set arp-reply disable

next

end

end

Example 2: Dynamic Address

config firewall address

edit "address1"

config dynamic_mapping

edit "FW60CA3911000089"-"root"

set subnet 192.168.4.0 255.255.255.0

next

end

end

Example 3: Dynamic Interface

config dynamic interface

config dynamic_mapping

edit "FW60CA3911000089"-"root"

set local-intf internal

set intrazone-deny disable

next

end

end

Map a dynamic ADOM object

The devices and VDOMs to which a global object is mapped can also be viewed from the object list. You can add an object to groups and enable dynamic mapping. These options are not available for all objects.

When the Dynamic Mapping option is available, select Create New to configure the dynamic mapping.

To configure a dynamic mapping via a CLI script, the configuration for the mapping must be defined in the dynamic object under the config dynamic_mapping sub-tree. The CLI script must be run on a policy package instead of the device database. For information on running CLI scripts, see Scripts

note icon

Default mapping is only used when there is no per-device mapping for a particular device. You must have either a per-device mapping or a default mapping in a policy package. Otherwise, the policy package installation will fail.

When you import a policy package, a per-device mapping is usually added when the object is already used by a FortiGate.

Examples:

Example 1: Dynamic VIP

config firewall vip

edit "vip1"

config dynamic_mapping

edit "FW60CA3911000089"-"root"

set extintf "any"

set extip 172.18.26.100

set mappedip 192.168.3.100

set arp-reply disable

next

end

end

Example 2: Dynamic Address

config firewall address

edit "address1"

config dynamic_mapping

edit "FW60CA3911000089"-"root"

set subnet 192.168.4.0 255.255.255.0

next

end

end

Example 3: Dynamic Interface

config dynamic interface

config dynamic_mapping

edit "FW60CA3911000089"-"root"

set local-intf internal

set intrazone-deny disable

next

end

end