Is it just my firewalls or has it become mandatory to create an address object when creating an interface with role LAN? Only tried creating VLAN interfaces.
I think most of us managing Fortigates has their naming scheme for addresses and other objects. Now I’m not allowed to remove, rename or change this object that it creates by default.
Anyone found a way to disable auto-creation or delete these addresses?
BTW I’m running 7.2.4 on a 60E and 60F.
Hi Okoye,
Indeed, I just looked, I did not find the option to disable automatic creation.
On the other hand I managed to rename the object even if it is used in a policy for example.
In CLI :
FortiGate-40F # config firewall address
FortiGate-40F (address) # show | grep test_jde
edit "test_jde1"
FortiGate-40F (address) # rename test_jde1 to test_jde99
FortiGate-40F (address) # show | grep test_jde
edit "test_jde99"
FortiGate-40F (address) # end
FortiGate-40F # config firewall address
FortiGate-40F (address) # show | grep test_jde
edit "test_jde99"
Good Day,
Thank you for using the Community Forum.
Kindly note, this is an expected behavior for FortiOS 7.2.4. When the Interface role is LAN, the OS will enable the 'creating address object matching subnet' option.
The address is automatically created.
For example, if a port3 interface changed from 192.168.1.0/24 to 172.16.10.0/23, the address 'port3-subnet' should change accordingly, therefore, any policies using that address should automatically be applied to the right subnet.
You can just leave the address created on the address group and you can use your own addresses if you want to.
Ref:
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/259467/interface-subnet
Thanks,
Feroz
Hi Feroz,
thanks for this reply, for information, the renamed object is also modified when changing the address on the interface. good news ;)
Best regards,
Thanks for this update. The problem this has caused is FortiGates in Azure deployed in HA are now showing as Out of Sync. Interfaces in an Azure HA have different IP addresses on each HA unit. So when this is auto created, the value is different on each HA unit, causing the HA to be out of sync because the address objects have different values.
The only way around this is to move the interface back to undefined or restore the ability to disable the auto create object.
Well this is super obnoxious and just gets in the way, the old way was much better when it was optional.
we manage all our fortigate using a fortimanager and now i'm getting all these redundant address objects to deal with. I wouldn't mind if I could edit the name to fit our standard when its created but that isn't allowed so now this is just creating more admin overhead I have to deal with
Sidenote hint:
When you create a Tunnel Mode SSID the Subnet is created automatically.
You are not longer able to delete the Tunnel-Mode SSID via the Wireless-Controller Section.
You have to delete this SSID (Interface) from the Networks Interfaces section because of the created subnet object...
We all love GUI developers.. don´t we :D
I would be fine with this default behaviour, as long as there was a way to define the naming scheme of the automatically created address objects.
We already have a set standard for naming of address objects according to n_customershortname-sitex.networktype_subnet. For example n_abc-xyz1.clnt01_x.x.x.x/x. This way we don't really have to name firewall rules as just the address objects themselves tells me what traffic is affected by the rule just by looking at the policy view.
I see no reason why this needs to be hardset like this. Creating an address object is not always required especially if creating a Layer2 only VLAN. I'm being forced to change the role to undefined now which will cause the Security Rating option to complain about it. We should have the option to disable this.
Forcing the creation of address objects is not good. Who does this help? If someone doesn't know what they're doing, they'll use the default object. If someone does know what they are doing, let them manage their own address objects.
Looks like I'll be setting the interfaces to undefined to keep my address objects clean and organized. At least, until that option is taken away as well.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.