Why are VIP Groups not the same as Address Groups (nesting)

Question

Is there any reason that anyone knows why VIPG's are not nestable?

Address Groups are nestable. I can create an Address, add it to an address group, and have that address group a member of a master address group that is set up on an outbound policy.

I want to do the same on an inbound policy with a VIP Group.

My use case is relatively simple - we run a multi tenant environment of somewhat standardised services, and I always prefer the other admins to edit group membership not policies. That way, it's less likely that a wayward change is made to a policy, and typically the most impact of an accidental action is to open additional ports up to servers that aren't listening to those ports anyway.... our structure would be Tenant-VIP is a member of tenant-vipgrp which is a member of service-vipgrp, and service-vipgrp is used on the policy. A new tenant using a service just requires adding their tenant-vipgrp to the service-vipgrp. That's safer in my view than having to crack open the policy and add the tenant's vipgrp there, and it matches exactly what we do with outbound services.

tanr · Accepted Answer

You probably want to request an NFR (New Feature Request) through your Fortinet SE.  I've not had the best luck with NFRs, but I have had them actually get implemented (1.5 years after the request for one of them).

poundy · Answer

anyone with suggestions how to raise a bug here ?  OK, maybe not so much a bug, but a bad design that needs fixing :) And anyone with comments on my use case scenario and my views on the admin tasks?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded