Hi Fortinet Community,
My address object is
edit "Wifi-address"
set type interface-subnet
set subnet 192.168.0.0 255.255.255.0
set interface "Wifi-interface"
next
how ever my interface status is unused/disable/down
edit "Wifi-interface"
set vdom "root"
set ip 192.168.0.1 255.255.255.0
set allowaccess ping fabric
set status down
set device-identification enable
set role lan
set snmp-index 8
set interface "port4"
set vlanid 888
next
...
however, I am use the same Address Object to use in new Firewall Policy but using different interface in source/destination like source is port9 destination is wan1. the policy can created.
i ask ChatGPT, is this possible?
Behavior with Disabled Interface:
Solved! Go to Solution.
Created on 12-26-2024 09:37 PM Edited on 12-26-2024 09:38 PM
I think once it's configured, even when the interface is reactivated the policy using that address with a different interface would still work.
Only when I removed the address and tried to re-add it to the same policy, the address object wouldn't show up as an option because it's attached to a different active interface at the moment of configuration.
So the ChatGPT's explanation is sort of correct. But I wouldn't call it as "relaxing". Because the FortiOS is simply checking if the address object you're trying to use in a policy is bound to an "active" interface, and if so, if it's a correct interface in the policy. Then, when you enabled the interface, it wouldn't trace back all the dependency chains backward to reject your change attempt nor give you a warning. To me, it's a reasonable design.
Toshi
I had test because the interface is set type interface-subnet, making the firewall policy address can discover the address object.
Created on 12-26-2024 09:37 PM Edited on 12-26-2024 09:38 PM
I think once it's configured, even when the interface is reactivated the policy using that address with a different interface would still work.
Only when I removed the address and tried to re-add it to the same policy, the address object wouldn't show up as an option because it's attached to a different active interface at the moment of configuration.
So the ChatGPT's explanation is sort of correct. But I wouldn't call it as "relaxing". Because the FortiOS is simply checking if the address object you're trying to use in a policy is bound to an "active" interface, and if so, if it's a correct interface in the policy. Then, when you enabled the interface, it wouldn't trace back all the dependency chains backward to reject your change attempt nor give you a warning. To me, it's a reasonable design.
Toshi
thank you for your response
cheers
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1747 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.