|
Starting FortiOS version 7.4.1, in FortiGate deployed in NGFW Policy mode, it is possible to use dynamic IP addresses as matching criteria in the security policies.
For example, if using the Cisco ACI external connector to fetch the tags, these tags can be called in firewall addresses (type dynamic) which would then resolve it to IP addresses.
config system sdn-connector
edit "test-ACI"
set type aci-direct
set verify-certificate disable
set server-list "10.1.1.1"
set username "fortinet"
set password ENC -1v18us5MtDKnj4YO4rMjPb2rE3YToAHTfuxnuMq+gcKgD3yGc
next
end
edit "Address_Object"
set uuid 42ee9172-52b5-51ee-74b9-003ae6260f4c
set type dynamic
set sdn "test-ACI"
set color 17
set filter "Epg=DC-55"
config list
edit "192.168.55.21"
set obj-id "n/a"
set net-id "n/a"
next
end
Then it will be possible to call this dynamic address object in the security policy:
edit 2
set uuid 9208b08a-520b-51ee-a325-30d557408241
set name "AD_Access"
set srcintf "port1"
set dstintf "port2"
set srcaddr "Address_Object"
set dstaddr "test_Subnet"
set enforce-default-app-port disable
set service "ALL"
set action accept
set schedule "always"
set logtraffic all
next
Basic troubleshooting steps:
- It is possible to verify if the address object is able to fetch the IP address by hovering over the address object's resolved IP address.
- Use the 'diag ips pme dynamic-address list' command to show the addresses that are used in the policy.
- Collect debug flow, and IP debug as follows:
dia debug reset
diagnose debug flow filter addr <relevant-ip>
dia ips filter set "host <relevant-ip>
dia ips debug enable all
dia ips pme debug verbose
diagnose debug flow trace start 999
diag ips pme debug en
diag debug enable
Initiate the traffic:
diag debug disable
|
