Sometimes it is useful to know, if a device really supports nested groups. This little test shows, that a Fortinet FortiGate 60D running FortiOS 5.6 actually supports an address object, which is nested into five different groups:
address object "h-192.168.2.2" is in group "srcgrp05"
address object group "srcgrp05" is in group "srcgrp04"
address object group "srcgrp04" is in group "srcgrp03"
address object group "srcgrp03" is in group "srcgrp02"
address object group "srcgrp02" is in group "srcgrp01"
address object group "srcgrp01" is used in firewall policy with id 10:
srcgrp01/
├──srcgrp02/
│ └── srcgrp03/
│ └── srcgrp04/
│ └── srcgrp05/
│ └── h-192.168.2.2/
dstgrp01/
├──dstgrp02/
│ └── dstgrp03/
│ └── dstgrp04/
│ └── dstgrp05/
│ └── h-172.16.0.182/
Firewall policy 10 uses srcgrp1 and dstgrp05 (by mistake, should have been dstgrp01)
Config:
config firewall address
edit "h-192.168.2.2"
set subnet 192.168.2.2 255.255.255.255
next
edit "h-172.16.0.182"
set subnet 172.16.0.182 255.255.255.255
next
end
config firewall addrgrp
edit "srcgrp05"
set member "h-192.168.2.2"
next
edit "srcgrp04"
set member "srcgrp05"
next
edit "srcgrp03"
set member "srcgrp04"
next
edit "srcgrp02"
set member "srcgrp03"
next
edit "srcgrp01"
set member "srcgrp02"
next
edit "dstgrp05"
set member "h-172.16.0.182"
next
edit "dstgrp04"
set member "dstgrp05"
next
edit "dstgrp03"
set member "dstgrp04"
next
edit "dstgrp02"
set member "dstgrp03"
next
edit "dstgrp01"
set member "dstgrp02"
next
end
config firewall policy
edit 10
set srcintf "internal3"
set dstintf "wan1"
set srcaddr "srcgrp01"
set dstaddr "dstgrp05"
set action accept
set schedule "always"
set service "SSH"
set logtraffic all
set fsso disable
set nat enable
next
end
Test using diag debug flow:
FGT60D123456789 # id=20085 trace_id=4 func=print_pkt_detail line=5455
msg="vd-root received a packet(proto=6,
192.168.2.2:58871->172.16.0.182:22) from internal3. flag [S], seq
1083753677, ack 0, win 64240"
id=20085 trace_id=4 func=init_ip_session_common line=5614 msg="allocate a new session-0005ea9f"
id=20085 trace_id=4 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-172.16.0.182 via wan1"
id=20085 trace_id=4 func=fw_forward_handler line=746 msg="Allowed by Policy-10: SNAT"
id=20085 trace_id=4 func=__ip_session_run_tuple line=3284 msg="SNAT 192.168.2.2->172.16.255.254:58871"
id=20085
trace_id=5 func=print_pkt_detail line=5455 msg="vd-root received a
packet(proto=6, 172.16.0.182:22->172.16.255.254:58871) from wan1.
flag [S.], seq 3921820808, ack 1083753678, win 29200"
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, reply direction"
id=20085 trace_id=5 func=__ip_session_run_tuple line=3298 msg="DNAT 172.16.255.254:58871->192.168.2.2:58871"
id=20085 trace_id=5 func=vf_ip4_route_input line=1604 msg="find a route: flags=00000000 gw-192.168.2.2 via internal3"
id=20085
trace_id=5 func=npu_handle_session44 line=919 msg="Trying to offloading
session from wan1 to internal3, skb.npu_flag=00000400
ses.state=00010204 ses.npu_state=0x00000000"
id=20085 trace_id=5 func=ip_session_install_npu_session line=270 msg="npu session intallation succeeded"
id=20085
trace_id=6 func=print_pkt_detail line=5455 msg="vd-root received a
packet(proto=6, 192.168.2.2:58871->172.16.0.182:22) from internal3.
flag [.], seq 1083753678, ack 3921820809, win 1026"
id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, original direction"
id=20085
trace_id=6 func=npu_handle_session44 line=919 msg="Trying to offloading
session from internal3 to wan1, skb.npu_flag=00000400
ses.state=00010204 ses.npu_state=0x00002000"
id=20085 trace_id=6 func=ip_session_install_npu_session line=270 msg="npu session intallation succeeded"
id=20085 trace_id=6 func=__ip_session_run_tuple line=3284 msg="SNAT 192.168.2.2->172.16.255.254:58871"
id=20085
trace_id=7 func=print_pkt_detail line=5455 msg="vd-root received a
packet(proto=6, 172.16.0.182:22->172.16.255.254:58871) from wan1.
flag [F.], seq 3921820867, ack 1083753680, win 229"
id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, reply direction"
id=20085 trace_id=7 func=__ip_session_run_tuple line=3298 msg="DNAT 172.16.255.254:58871->192.168.2.2:58871"
id=20085
trace_id=7 func=npu_handle_session44 line=919 msg="Trying to offloading
session from wan1 to internal3, skb.npu_flag=00000000
ses.state=00010204 ses.npu_state=0x00003000"
id=20085 trace_id=8
func=print_pkt_detail line=5455 msg="vd-root received a packet(proto=6,
192.168.2.2:58871->172.16.0.182:22) from internal3. flag [F.], seq
1083753680, ack 3921820868, win 1026"
id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5530 msg="Find an existing session, id-0005ea9f, original direction"
id=20085
trace_id=8 func=npu_handle_session44 line=919 msg="Trying to offloading
session from internal3 to wan1, skb.npu_flag=00000000
ses.state=00010204 ses.npu_state=0x00003000"
id=20085 trace_id=8 func=__ip_session_run_tuple line=3284 msg="SNAT 192.168.2.2->172.16.255.254:58871"
Result
The working with an address object, which is nested in 5 address object groups works.