VIP object with interface set as "any"

Forum|Forum|4 years ago
December 17, 2021
4 replies
6126 views

Hey guys,

Can anyone please confirm if using VIP objects set with interface "any" is the issue? I talked to TAC and they are not sure, though fortinet guru site shows it should be fine.

Any feedback is appreciated.

FortiGate

Best answer by Jackstorm

Use any in VIP is fine, we also haven’t specific interface in VIP.

R_F

Explorer

not sure the result of using any as interface. since then I work with FG I often using specific interfaces for my src and dst most esp on VIP/DNAT.

Any Any interfaces if I have multiple vlans inside my FG to eliminate recreating handlfull of vlans rules. :)

JackstormAnswer

Visitor III

Use any in VIP is fine, we also haven’t specific interface in VIP.

Yurisk

SuperUser

Security-wise it bears no meaning to use Any or specific interface, it just binds this object to be used on a specific interface to may be prevent someone from configuring VIP on the wrong interface and then wondering why it is not working (my personal idea of it).

I always set it to Any. Actually, in the case of multiple ISPs, when external IP used in VIP is your own, advertised via BGP to providers, you have to leave VIP as Any or failover/configuring the same VIP for both IPS connections would not work.

the_rockAuthor

Explorer III

Thanks guys for responding...support also got back to me saying it should be fine. Im just bit worried, since we are converting to Fortinet from another vendor and there are lots of NAT rules we had to move over, so this is very critical to work right.

Jackstorm

Visitor III

If you have huge amont VIPS, like 2K-3K VIP, set interface will optimize the performace, it will help traffice match the related interface, hope it help.

the_rockAuthor

Explorer III

I cant recall now how many there were, but I believe about 250 or so.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded