question

timothydilbert avatar image
0 Likes"
timothydilbert asked

Managing Dynamic Address Group for SaaS-related rules

Hi Everyone,

I have a ticket opened with Fortinet Support on this, but I thought I would also put the question here in case people in the community have a workaround you could share.

I want to define a policy that allows inbound/outbound connections from trusted IPs related to a SaaS service provider (in this case, GitHub). GitHub has its list of IPs trusted IPs available in JSON format (https://api.github.com/meta). The goal is to establish rules using those IP lists.

As you can see, this list can have dozens of IPs. Creating an "Address" for each GitHub subnet is no small task, especially since that IP list is dynamic, which means IPs can be added/removed at any time.

Because I am seeing a trend where SaaS platforms provide their IPs in JSON format (e.g. Zendesk, ServiceNow, Okta, Google), I figured these dynamic IP lists must be common enough that other Fortinet administrators must have found some workarounds for automating supporting and the management of policies with rules relying on these IP lists being kept up to date.

Does anyone have any advice on how to define policies using IPs from these JSON documents?

Firewall policyDynamic address
10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

0 Answers

·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Welcome to FortiAnswers

FortiAnswers is the space dedicated to FortiSASE and FortiOS questions and suggestions.

  • Please review the Community guidelines
  • If you are a moderator, please refer to the Moderation guidelines
  • If something in the above guidelines is unclear, please post your question to the Community Feedback space or the Moderators' space