Technical Tip: Unable to add a route-tag address object as the source in the firewall policy
| Description | This article explains the default behavior of the route tag address object. |
| Scope | FortiGate v7.4.0+ |
| Solution | Route tag address objects were introduced in v7.4.0 Route Tag Address Objects
As per the design, the route-tag objects can only be added as a destination in the firewall policy. It can not be selected as a source.
For example:
From CLI :
config firewall address edit "route-tag-11" set uuid 70d9fdb6-c734-51ef-0ac6-2e497dfe8a4e set type route-tag set route-tag 11 set comment '' set associated-interface '' set color 0 set fabric-object disable next end
The above route-tag object cannot be set as a source but it can be selected as a destination address in the firewall policy.
Route-tag address object is available in the Destination of the firewall policy as visible in the below image:
From CLI : config firewall policy edit 1 set uuid 0af996d6-c6ef-51ef-ed94-88f2e8ba8c06 set srcintf "internal" set dstintf "wan1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set nat enable next end
FortiGate-60F (1) # set srcaddr route-tag-11 entry not found in datasource
value parse error before 'route-tag-11' Command fail. Return code -3
FortiGate-60F (1) # set dstaddr route-tag-11
FortiGate-60F (1) # end
This is an expected behavior.
Related articles: |
