IPV4 Policy - Custom Device Groups

Author
gigakun
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/11/04 17:53:47
  • Status: offline
2019/11/04 18:03:43 (permalink)
0

IPV4 Policy - Custom Device Groups

Hi all. So my org has a 300E on which I'm trying to configure a policy for custom devices. But it isn't working at all. Considering I did the exact same config on a two 80E's this was supposed to be straightforward. But every time I add a custom device / group to the source, the policy doesn't match and moves on to the next. Was on firmware 6.0.6 and tried downgrading to 6.0.4 to troubleshoot. Any suggestions? Thanks.
#1

2 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1531
    • Scores: 167
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: IPV4 Policy - Custom Device Groups 2019/11/05 14:59:17 (permalink)
    0
    San any identifiable IP info, can you post your list of firewall polices with the one in question?  Thing about firewall rules and device groups is you need to define both the source IP or subnet and device (group). 

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C
    #2
    gigakun
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/11/04 17:53:47
    • Status: offline
    Re: IPV4 Policy - Custom Device Groups 2019/11/05 17:26:11 (permalink)
    0
    Thanks for the response Dave. Seems I can't hotlink images from my google drive so'll I just share the link/album
     
    So I'm sure I don't need to explain the pics to you lol but just so you can better understand. We're migrating from an old Juniper firewall to the 300E. While on the Juniper we managed access to the internet/sites by issuing static ips to the workstations. It was the plan to do away with the static ips once we moved to the 300E as I previously did successfully using custom device groups on our 80E's.
     
    So to give users internet access during the migration I simply created the "Juniper Level 1" policy in which the source group is a range of ips (labelled "Juniper 93-94") which provided internet access on the juniper. Great all users who had internet before still have internet.
     
    Part two of the plan was, as we remove the static ips's from workstations we would simultaneously create a "custom device" for the workstation and add it to the "custom device group" in this case "level 1" and they would then simply match/comeover to the top policy "level 1".
     
    But every time I had a custom group or device, the policy is simple bypassed. If I remove the custom group/device it matches as you can see by the traffic...
     
    Edit 11/06/2019
     
    So I figured it out. So i'm by no means a fortigate expert so I'm sure most people know this but turns out the problems was the workstations and fortigate need to communicate with each other directly. Our workstations have a static ip/gateway for a old device and we simply created another route from that device to the forigate. But the clients need to have the proper fortigate gateway applied for fortigate to do its stuff. Thanks for the assistance :)
    post edited by gigakun - 2019/11/06 14:12:22
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5