Hi All
Just a general question to get some different points of view.
What are your thoughts on binding address objects to a specific interface? Is this necessary? Are there any security risks in specify interface as "any"?
I won't go in to detail regarding the issue I am currently facing, but suffice to say that if I used interface "any" at a client HO and branch sites, my problems would go away. Since I got involved in fire-walling many moons ago, I have always assumed that binding addressees to specific interfaces is best practice, but this issue got me thinking why this is the case...
Regards
FCNSA
FCNSP
FCWS
NSE5
NSE7
hi,
actually, binding addresses to interfaces is a good idea IF the implementation in FortiOS was better. If you manage a huge number of addresses it may be quicker to select suitable ones when creating policies. But, as you've noticed already, if need arises to reassign an address from a specific interface/port to another one FortiOS leaves you in the ditch. This case happens more often than one thinks.
So, in consequence, I never associate address objects with a specific interface.
If I could just edit the address (which costs time anyway) and change the interface, even to 'any', then I'd probably use the feature in large installations. A lot of If's.
I never bind object to a interface but one good benefit you can't craft a wrong policy if the object is bound to a interface. So let's say you have a objectA bounded to interfaceA you can craft a policy for objectA to interfaceB
Also one more set back, you can use a "ANY" interface in a fwpolicy so that could be a negative with object+interface binding.
Ken
PCNSE
NSE
StrongSwan
I always bind objects to a specific interface or zone. I can't say I ever even thought about not doing that and leaving it as 'any'.
interesting point
User | Count |
---|---|
1906 | |
1141 | |
769 | |
447 | |
277 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.