Hi all. So my org has a 300E on which I'm trying to configure a policy for custom devices. But it isn't working at all. Considering I did the exact same config on a two 80E's this was supposed to be straightforward. But every time I add a custom device / group to the source, the policy doesn't match and moves on to the next. Was on firmware 6.0.6 and tried downgrading to 6.0.4 to troubleshoot. Any suggestions? Thanks.
San any identifiable IP info, can you post your list of firewall polices with the one in question? Thing about firewall rules and device groups is you need to define both the source IP or subnet and device (group).
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Thanks for the response Dave. Seems I can't hotlink images from my google drive so'll I just share the link/album
So I'm sure I don't need to explain the pics to you lol but just so you can better understand. We're migrating from an old Juniper firewall to the 300E. While on the Juniper we managed access to the internet/sites by issuing static ips to the workstations. It was the plan to do away with the static ips once we moved to the 300E as I previously did successfully using custom device groups on our 80E's.
So to give users internet access during the migration I simply created the "Juniper Level 1" policy in which the source group is a range of ips (labelled "Juniper 93-94") which provided internet access on the juniper. Great all users who had internet before still have internet.
Part two of the plan was, as we remove the static ips's from workstations we would simultaneously create a "custom device" for the workstation and add it to the "custom device group" in this case "level 1" and they would then simply match/comeover to the top policy "level 1".
But every time I had a custom group or device, the policy is simple bypassed. If I remove the custom group/device it matches as you can see by the traffic...
Edit 11/06/2019
So I figured it out. So i'm by no means a fortigate expert so I'm sure most people know this but turns out the problems was the workstations and fortigate need to communicate with each other directly. Our workstations have a static ip/gateway for a old device and we simply created another route from that device to the forigate. But the clients need to have the proper fortigate gateway applied for fortigate to do its stuff. Thanks for the assistance :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.