| Table of Contents: Use Case. A company has four data centers across the US in the following regions: EAST, EAST2, WEST, and WEST2.
Each region has different IP addresses for the AD servers, and some regions have more servers than others. Raw object list: | Region | AD Server | IP Address | | EAST | ad.east.main | 172.10.20.10 | | EAST | ad.east.backup.1 | 172.10.21.10 | | EAST | ad.east.backup.2 | 172.10.22.10 | | EAST2 | ad.east2.main | 172.20.20.10 | | EAST2 | ad.east2.backup.1 | 172.20.21.10 | | WEST | ad.west.main | 172.30.20.10 | | WEST | ad.west.backup.2 | 172.30.21.10 | | WEST2 | ad.west2.main | 172.40.20.10 | | WEST2 | ad.west2.backup.1 | 172.40.21.10 | | WEST2 | ad.west2.backup.2 | 172.40.22.10 | With regular firewall policies, the setup would require four separate address groups, each with at least two addresses, along with four different policy packages or policy blocks, one per region, each pointing to the appropriate regional AD group.
The goal of the following solution is to eliminate those unnecessary policies, groups, and addresses. Solution. To optimize the number of objects, the administrator should create four device groups, one for each region.
Each FortiGate that belongs to a given region will be assigned to the corresponding group.
FortiManager will then push the proper configuration based on the region. Device Groups: DG_EAST, DG_EAST2, DG_WEST, DG_WEST2. After creating the groups, the next step is to create Metadata Variables as described in the following table. | Variable Name | Variable Mapping - Name | Variable Mapping - Value | | REGION_SECOND_OCTET | DS_EAST | 10 | | | DS_EAST2 | 20 | | | DS_WEST | 30 | | | DS_WEST2 | 40 | | AD_GROUP_SERVER | DS_EAST | AD.EAST | | | DS_EAST2 | AD.EAST2 | | | DS_WEST | AD.WEST | | | DS_WEST2 | AD.WEST2 | The following image shows how the REGION_SECOND_OCTET variable should look in FortiManager. 
The AD_GROUP_SERVER variable should look like the following image. 
Configuring address objects. The next step is to configure the address objects.
For the described scenario, based on the number of AD servers, the configuration will have 3 address objects and 5 address groups, as shown in the images below. Address objects: 
Address groups: 
Creating the policy: At the current point, all objects and variables are set.
The next step is to create the Policy Block to reuse across multiple policy packages, or create the policy directly in the policy package as needed. The policy package should look like the image below. 
Note: Once the policy is applied to a device, the device must be associated with one of the device groups created earlier.
At provisioning time, FortiManager will translate the group and address values based on the defined variables and apply the configuration accordingly. In the example below, the device was associated with the EAST device group.
The configuration preview looks like the following. config firewall address edit "ad.backup.1" set uuid 373979c4-246c-51f1-a2bd-46c2dbe0c216 set subnet 172.10.21.10 255.255.255.255 next edit "ad.backup.2" set uuid 6de4d6ee-246c-51f1-7929-934d8a15634b set subnet 172.10.22.10 255.255.255.255 next edit "ad.main" set uuid 6287bde8-246c-51f1-7619-ba74a3b6aa33 set subnet 172.10.20.10 255.255.255.255 next end config firewall addrgrp edit "AD_EAST" set uuid a8cb6dd6-246c-51f1-b534-e363ecb147de set member "ad.backup.2" "ad.backup.1" "ad.main" next edit "AD_SERVERS" set uuid 82613dfe-246e-51f1-8182-07b94c136ec8 set member "AD_EAST" next end
Versions: FortiManager: v7.6.5 (build 3653). | 
