Hi All
Just a general question to get some different points of view.
What are your thoughts on binding address objects to a specific interface? Is this necessary? Are there any security risks in specify interface as "any"?
I won't go in to detail regarding the issue I am currently facing, but suffice to say that if I used interface "any" at a client HO and branch sites, my problems would go away. Since I got involved in fire-walling many moons ago, I have always assumed that binding addressees to specific interfaces is best practice, but this issue got me thinking why this is the case...
Regards
FCNSA
FCNSP
FCWS
NSE5
NSE7
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi,
actually, binding addresses to interfaces is a good idea IF the implementation in FortiOS was better. If you manage a huge number of addresses it may be quicker to select suitable ones when creating policies. But, as you've noticed already, if need arises to reassign an address from a specific interface/port to another one FortiOS leaves you in the ditch. This case happens more often than one thinks.
So, in consequence, I never associate address objects with a specific interface.
If I could just edit the address (which costs time anyway) and change the interface, even to 'any', then I'd probably use the feature in large installations. A lot of If's.
I never bind object to a interface but one good benefit you can't craft a wrong policy if the object is bound to a interface. So let's say you have a objectA bounded to interfaceA you can craft a policy for objectA to interfaceB
Also one more set back, you can use a "ANY" interface in a fwpolicy so that could be a negative with object+interface binding.
Ken
PCNSE
NSE
StrongSwan
I always bind objects to a specific interface or zone. I can't say I ever even thought about not doing that and leaving it as 'any'.
interesting point
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.