FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 276412

This article describes information on support for dynamic addresses to security-policy in NGFW Policy mode.

Scope FortiGate.

Starting FortiOS version 7.4.1, in FortiGate deployed in NGFW Policy mode, it is possible to use dynamic IP addresses as matching criteria in the security policies.


For example, if using the Cisco ACI external connector to fetch the tags, these tags can be called in firewall addresses (type dynamic) which would then resolve it to IP addresses.


config system sdn-connector
    edit "test-ACI"
        set type aci-direct
        set verify-certificate disable
        set server-list ""
        set username "fortinet"
        set password ENC -1v18us5MtDKnj4YO4rMjPb2rE3YToAHTfuxnuMq+gcKgD3yGc


    edit "Address_Object"
        set uuid 42ee9172-52b5-51ee-74b9-003ae6260f4c
        set type dynamic
        set sdn "test-ACI"
        set color 17
        set filter "Epg=DC-55"
            config list
                edit ""
                    set obj-id "n/a"
                    set net-id "n/a"

Then it will be possible to call this dynamic address object in the security policy:


    edit 2 
        set uuid 9208b08a-520b-51ee-a325-30d557408241
        set name "AD_Access"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "Address_Object"
        set dstaddr "test_Subnet"
        set enforce-default-app-port disable
        set service "ALL"
        set action accept
        set schedule "always"
        set logtraffic all


Basic troubleshooting steps:


  1. It is possible to verify if the address object is able to fetch the IP address by hovering over the address object's resolved IP address.

  2. Use the 'diag ips pme dynamic-address list' command to show the addresses that are used in the policy.

  3. Collect debug flow, and IP debug as follows:


dia debug reset
diagnose debug flow filter addr <relevant-ip>
dia ips filter set "host <relevant-ip>
dia ips debug enable all
dia ips pme debug verbose
diagnose debug flow trace start 999

diag ips pme debug en
diag debug enable


Initiate the traffic:

diag debug disable