Skip to main content
xkalib3r
xkalib3r
New Member
June 27, 2016
Question

Binding Address Objects to Specific Interface

  • June 27, 2016
  • 1 reply
  • 12408 views

Hi All

 

Just a general question to get some different points of view.

 

What are your thoughts on binding address objects to a specific interface? Is this necessary? Are there any security risks in specify interface as "any"?

 

I won't go in to detail regarding the issue I am currently facing, but suffice to say that if I used interface "any" at a client HO and branch sites, my problems would go away. Since I got involved in fire-walling many moons ago, I have always assumed that binding addressees to specific interfaces is best practice, but this issue got me thinking why this is the case...

 

 

Regards

1 reply

ede_pfau
SuperUser
ede_pfau
SuperUser
June 27, 2016

hi,

 

actually, binding addresses to interfaces is a good idea IF the implementation in FortiOS was better. If you manage a huge number of addresses it may be quicker to select suitable ones when creating policies. But, as you've noticed already, if need arises to reassign an address from a specific interface/port to another one FortiOS leaves you in the ditch. This case happens more often than one thinks.

 

So, in consequence, I never associate address objects with a specific interface.

 

If I could just edit the address (which costs time anyway) and change the interface, even to 'any', then I'd probably use the feature in large installations. A lot of If's.

emnoc
emnoc
New Member
June 27, 2016

I never  bind object to a interface but one good benefit you can't craft a wrong policy if the object is bound to a interface. So let's say you   have a objectA bounded to interfaceA  you can craft a policy for objectA to interfaceB

 

Also one more set back, you can use a "ANY" interface in a  fwpolicy so that could be a negative with  object+interface binding.

 

Ken

ponder
ponder
New Member
June 27, 2016

I always bind objects to a specific interface or zone.  I can't say I ever even thought about not doing that and leaving it as 'any'.

 

interesting point

 

Terms & ConditionsAccessibility statement