Skip to main content
lobstercreed
lobstercreed
New Member
December 5, 2020
Question

Cannot set match-vip enable in 6.4.3

  • December 5, 2020
  • 2 replies
  • 12695 views

Good morning all,

 

I encountered something yesterday that has me really scratching my head.  In 6.0.x I had set a bunch of policies with match-vip enable that no longer appear to have that setting in the CLI.  Furthermore, when I go to add it to a policy that I should be able to add it to, it is not an option.  Let me explain my use-case to make sure we're all on the same page.

 

We have a full AD environment and all our internal users use it for DNS.  We have the occasional BYOD client that has Google DNS programmed so when they should be resolving a public server's internal IP they instead resolve the external IP of that system.  Policies are like this:

 

For external users:

interface:  WAN -> DMZ 

address:  all -> VIP_Server01 (5.5.5.5 -> 10.10.6.70)

 

For internal users:

interface:  LAN -> DMZ 

address:  all -> Server01 (10.10.6.70)

 

So obviously the problem was that the internal users that resolved Server01 to 5.5.5.5 could not find a matching policy but if I changed the internal policy to use the VIP object then the majority of internal users wouldn't match either, and you can't mix VIP and regular address objects on a policy.  To solve this I either needed to duplicate my policies (so that one used the VIP and one used the internal address) OR just "set match-vip enable" on any of my LAN policies with the internal DMZ address that might be reached by a misconfigured BYOD client.  Surely many of y'all have run into this same thing and maybe done the same thing.

 

I ran into a new system I wanted to set this for yesterday now that I'm on 6.4.x and couldn't.  It only seems to be an option if the destination address is "all" which obviously is not the behavior I want because different servers require different services to be available. 

I skipped 6.2.x, but I'm curious if this was one of the things that changed in that version?  Regardless of when it changed though I don't understand why.  It's also worth noting that my old policies that had it set DO still seem to function as if it was set, but it's not visible in the CLI anymore so I can't unset it either.  Is this just a major bug?  I haven't reached out to support yet but figured I'd ask if anyone else has seen this or found a guide that explains it.

 

Thanks! - Daniel

    2 replies

    mr_vaughn
    mr_vaughn
    Explorer III
    December 19, 2020

    We now have the same problem..

    And I have many clients with Fortigates that have it for a hairpin. mathcing the VIP

     

    mr_vaughn
    mr_vaughn
    Explorer III
    December 19, 2020

    Command should be there in n 6.4.3 https://docs.fortinet.com/document/fortigate/6.4.3/cli-reference/311620/firewall-policy

    But it is not in 6.4.4.

     

     

    mr_vaughn
    mr_vaughn
    Explorer III
    December 19, 2020

    Are you running vdoms?

     

    akileshc
    Staff
    akileshc
    Staff
    January 5, 2022

    Since 6.4.3 it is only possible to use this option for DENY policies. It is not available anymore for ACCEPT policies (https://docs.fortinet.com/document/fortigate/6.4.3/fortios-release-notes/230510/changes-in-default-b...)

      Terms & ConditionsAccessibility statement