Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
greentag
New Contributor

Created on ‎12-26-2024 07:20 PM Edited on ‎12-26-2024 07:26 PM

Address Object Tied with Disable Interface

Hi Fortinet Community,

 

My address object is

 

edit "Wifi-address"
set type interface-subnet
set subnet 192.168.0.0 255.255.255.0
set interface "Wifi-interface"
next

 

how ever my interface status is unused/disable/down

 

edit "Wifi-interface"
set vdom "root"
set ip 192.168.0.1 255.255.255.0
set allowaccess ping fabric
set status down
set device-identification enable
set role lan
set snmp-index 8
set interface "port4"
set vlanid 888
next

 

...

 

 

however, I am use the same Address Object to use in new Firewall Policy but using different interface in source/destination like source is port9 destination is wan1. the policy can created.

 

i ask ChatGPT, is this possible?

 

Behavior with Disabled Interface:

  • When you disable an interface, FortiGate may interpret that the address object no longer has a valid binding, effectively treating it as "unbound." This could allow the address object to appear in policies for different source/destination interfaces.
  • This behavior can be seen as FortiGate "relaxing" the restriction since the interface is no longer operational, thus allowing the object to be used elsewhere.
Labels:
448
0 Kudos
1 Solution
Toshi_Esumi
SuperUser
SuperUser
In response to greentag

Created on ‎12-26-2024 09:37 PM Edited on ‎12-26-2024 09:38 PM

I think once it's configured, even when the interface is reactivated the policy using that address with a different interface would still work.
Only when I removed the address and tried to re-add it to the same policy, the address object wouldn't show up as an option because it's attached to a different active interface at the moment of configuration.

So the ChatGPT's explanation is sort of correct. But I wouldn't call it as "relaxing". Because the FortiOS is simply checking if the address object you're trying to use in a policy is bound to an "active" interface, and if so, if it's a correct interface in the policy. Then, when you enabled the interface, it wouldn't trace back all the dependency chains backward to reject your change attempt nor give you a warning. To me, it's a reasonable design.

 

Toshi 

View solution in original post

401
0 Kudos
3 REPLIES 3
greentag
New Contributor

Created on ‎12-26-2024 08:14 PM

I had test because the interface is set type interface-subnet, making the firewall policy address can discover the address object.

 

431
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to greentag

Created on ‎12-26-2024 09:37 PM Edited on ‎12-26-2024 09:38 PM

I think once it's configured, even when the interface is reactivated the policy using that address with a different interface would still work.
Only when I removed the address and tried to re-add it to the same policy, the address object wouldn't show up as an option because it's attached to a different active interface at the moment of configuration.

So the ChatGPT's explanation is sort of correct. But I wouldn't call it as "relaxing". Because the FortiOS is simply checking if the address object you're trying to use in a policy is bound to an "active" interface, and if so, if it's a correct interface in the policy. Then, when you enabled the interface, it wouldn't trace back all the dependency chains backward to reject your change attempt nor give you a warning. To me, it's a reasonable design.

 

Toshi 

402
0 Kudos
greentag
New Contributor
In response to Toshi_Esumi

Created on ‎12-27-2024 01:25 AM

thank you for your response

 

cheers

369
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.