New Member

Question

FortiManager: How to change the interface of an Object, which used in firewall policy.

Forum|Forum|10 years ago
March 16, 2016
2 replies
14764 views

Hi guys,

I would like to change the Interface of the object which is already associated with firewall policy.

Kindly help me on this !!!

thanks in advance !!!

Regards,

Sridhar S

scao_FTNT

Staff

what kind of object? address and VIP has interface binding restriction with policy

Thanks

Simon

sridharsreAuthor

New Member

Hi Simon,

thanks for the reply.

I mean the server (ex: Proxy_1 (10.2.30.40)), existing Proxy_1 object in the fortimanager is mapped with different interface than the firewall which is about to import the policy. this will create a interface conflict. So I would like to change the interface of the object in both the Fortimanager and Firewall to "ANY".

But when I tried on fortimanager, couldn't change, since this object is used in fortimanagers other firewalls.

How to cahge this interface when it is already in use.

Thanks in advance !!!

Regards,

Sridhar S

scao_FTNT

Staff

if that object conflict is for address associated-interface

may have 2 methods

1. create a CLI script to run on package db, to change interface to "any" for FMG ADOM db config

config firewall address edit "test111" unset associated-interface end

and you should see below install changes for existing FMG policy packages to your FGTs (will trigger a delete and re-add of that address using policy)

Starting log (Run on device)


Start installing
v8c $  config firewall policy
v8c (policy) $  delete 22
v8c (policy) $  end
v8c $  config firewall address
v8c (address) $  edit "test1111"
v8c (test1111) $  unset associated-interface
v8c (test1111) $  next
v8c (address) $  end
v8c $  config firewall policy
v8c (policy) $  edit 22
new entry '22' added
v8c (22) $  set uuid 3a42300e-ef8c-51e5-329c-a4c8cd208b48
v8c (22) $  set srcintf "port3"
v8c (22) $  set dstintf "111"
v8c (22) $  set srcaddr "test1111"
v8c (22) $  set dstaddr "aaaa"
v8c (22) $  set action accept
v8c (22) $  set schedule "always"
v8c (22) $  set service "ALL"
v8c (22) $  next
v8c (policy) $  end


---> generating verification report
<--- done generating verification report


install finished

2. try to re-name FGT object to a different name so avoid conflict with existing FMG ADOM db config

Thanks

Simon

danstermeister

New Member

This is the core problem with FortiManager imho - There is no easy re-use of object definitions across vdoms that will honor the interfacing it's being moved to. Meaning, the only way to re-use definitions across vdoms is to assign it to the interface 'any' which then disables certain features, or you risk big problems using definitions meant for interfaces not associated with a vdom.

For every object definition tied to an interface on a vdom, I have to specifically prepend it's identity to guarantee it won't get confused with another similar definition being used on another vdom in the same manner. EXTRA WORK. If you peered into my Fortimanager setup there would be a separate Google-8.8.8.8 definition for each vdom it manages. What a pain!

Am I the only administrator that finds this painful?

What I'm hoping here is that I've missed something that someone can point out (that doesn't involve a workaround, but beggars can't be choosers), and then I'm happy to change this post to a mea culpa.

TO be sure, 'what I want' is to be able to roll out a single address object definition to a group of vdoms, specifying it should go on their external ('wan') interfaces, and it honors that... and doesn't get confused if I have to re-import those vdoms at a later date.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded