Skip to main content
Frosty
Frosty
New Member
March 23, 2018
Question

Address objects with "set associated-interface xxxx"

  • March 23, 2018
  • 1 reply
  • 14641 views

We have an FG200E running v5.6.2 and using about 5-6 interfaces/subnets.

The configuration was largely cut-n-pasted from an older FG200B running v5.0.10 via CLI.

Most of the Address objects have an Interface explicitly set (i.e. set associated-interface xxxx) and I've noticed that this cannot be changed via the GUI and must therefore be edited via CLI.

We are just about to do a major reconfiguration of our internal networks, so I am building out the new Interfaces with new IP Addresses/Subnets.

I'll want to progressively pick up Address objects, give them a new IP Address, which will of course mean that they are to be found in a different Interface.

Is there any particular reason to keep these associated-interface settings?  I seem to have the options of:

(1)  set up the Address object via CLI with a new IP Address and also a new associated-interface value; or

(2) set up the Address object via CLI with a new IP Address, but "unset associated-interface"

We don't have a huge number of objects, and because we have good naming conventions, it is usually apparent just by considering the object's Name/Alias what interface/subnet is belongs to.

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 23, 2018

    hi,

     

    interface binding is meant to minimise input in error, using the GUI. Years ago, when this was introduced, I noticed that I couldn't change the association which really kept me from getting things done. Since then, I always keep an address object un-associated. Most of the time I know what I do when using address objects in policies, I haven't regretted this once in a long time.

    emnoc
    emnoc
    New Member
    March 23, 2018

    I prefer not,  and here's why;

     

    1: it makes moving object around that more harder and time consuming

     

    2: if you change hardware out and use new "interface-names" you will end up with  a lot MS f5 find/replace or unix vi/sed subsitution

     

    e.g

     

    port1 is now reference in the  new hardware via   vlan100  etc...

     

    3: leave  the object un-associated  unless you have some hardcore reason for enabling  it, it's not a mandatory set option for a fortios fw.address.object

    Frosty
    FrostyAuthor
    New Member
    March 27, 2018

    Thanks both for your feedback.

    Confirms my best bet is to unset the associations and give myself more flexibility.

    Terms & ConditionsAccessibility statement