Address Object Tied with Disable Interface

Forum|Forum|1 year ago
December 27, 2024
1 reply
1198 views

Hi Fortinet Community,

My address object is

edit "Wifi-address"
set type interface-subnet
set subnet 192.168.0.0 255.255.255.0
set interface "Wifi-interface"
next

how ever my interface status is unused/disable/down

edit "Wifi-interface"
set vdom "root"
set ip 192.168.0.1 255.255.255.0
set allowaccess ping fabric
set status down
set device-identification enable
set role lan
set snmp-index 8
set interface "port4"
set vlanid 888
next

...

however, I am use the same Address Object to use in new Firewall Policy but using different interface in source/destination like source is port9 destination is wan1. the policy can created.

i ask ChatGPT, is this possible?

Behavior with Disabled Interface:

When you disable an interface, FortiGate may interpret that the address object no longer has a valid binding, effectively treating it as "unbound." This could allow the address object to appear in policies for different source/destination interfaces.
This behavior can be seen as FortiGate "relaxing" the restriction since the interface is no longer operational, thus allowing the object to be used elsewhere.

FortiGate

Best answer by Toshi_Esumi

I think once it's configured, even when the interface is reactivated the policy using that address with a different interface would still work.
Only when I removed the address and tried to re-add it to the same policy, the address object wouldn't show up as an option because it's attached to a different active interface at the moment of configuration.

So the ChatGPT's explanation is sort of correct. But I wouldn't call it as "relaxing". Because the FortiOS is simply checking if the address object you're trying to use in a policy is bound to an "active" interface, and if so, if it's a correct interface in the policy. Then, when you enabled the interface, it wouldn't trace back all the dependency chains backward to reject your change attempt nor give you a warning. To me, it's a reasonable design.

Toshi

greentagAuthor

New Member

I had test because the interface is set type interface-subnet, making the firewall policy address can discover the address object.

Toshi_EsumiAnswer

SuperUser

I think once it's configured, even when the interface is reactivated the policy using that address with a different interface would still work.
Only when I removed the address and tried to re-add it to the same policy, the address object wouldn't show up as an option because it's attached to a different active interface at the moment of configuration.

So the ChatGPT's explanation is sort of correct. But I wouldn't call it as "relaxing". Because the FortiOS is simply checking if the address object you're trying to use in a policy is bound to an "active" interface, and if so, if it's a correct interface in the policy. Then, when you enabled the interface, it wouldn't trace back all the dependency chains backward to reject your change attempt nor give you a warning. To me, it's a reasonable design.

Toshi

greentagAuthor

New Member

thank you for your response

cheers

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded