Description
This article explains which IP addresses are part of the FortiSASE egress IP address list used in ISDB objects or the IP feed.
Scope
FortiSASE, FortiGate ISDB.
Solution
The Fortinet-FortiSASE ISDB object enables inbound and outbound access between FortiGate and FortiSASE. This ISDB is constructed based on IP addresses from this IP feed.
As of April 6th 2024, the egress IP feed does not include the following IP addresses:
- Dedicated Public IP addresses of the PoPs.
- Public IP addresses assigned to SASE services like the EMS cloud egress IP.
The IP address feed specifically covers FortiSASE infrastructure egress IPs and excludes EMS cloud and dedicated PoP IP addresses. Currently, FortiSASE EMS cloud IP addresses are managed separately within the Fortinet-FortiCloud ISDB object.
To whitelist SASE PoP IP addresses, which are licensed, unique, and dedicated per deployment, it is recommended to create an address group containing the complete PoP egress IP address list and then reference it in the firewall policies.
To whitelist SASE EMS access, the Fortinet-FortiCloud ISDB object can be utilized.
Note:
A New Feature Request with ID #1016588 has been filed to include the dedicated PoP IP address list and SASE EMS cloud egress IP into the feed, and must be referenced when inquiring about its current status with the Fortinet support team. Alternatively, check the product release notes for updates.
