Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
okoye
New Contributor

Create address object matching subnet is no longer optional

Is it just my firewalls or has it become mandatory to create an address object when creating an interface with role LAN? Only tried creating VLAN interfaces.

I think most of us managing Fortigates has their naming scheme for addresses and other objects. Now I’m not allowed to remove, rename or change this object that it creates by default.

Anyone found a way to disable auto-creation or delete these addresses?

BTW I’m running 7.2.4 on a 60E and 60F.

https://19216811.cam/ https://1921681001.id/
10 REPLIES 10
Julien87
Contributor II

Hi Okoye,

 

Indeed, I just looked, I did not find the option to disable automatic creation.

 

On the other hand I managed to rename the object even if it is used in a policy for example.

 

In CLI :

FortiGate-40F # config firewall address

FortiGate-40F (address) # show | grep test_jde
edit "test_jde1"

FortiGate-40F (address) # rename test_jde1 to test_jde99

FortiGate-40F (address) # show | grep test_jde
edit "test_jde99"

FortiGate-40F (address) # end

FortiGate-40F # config firewall address

FortiGate-40F (address) # show | grep test_jde
edit "test_jde99"

 

Julien
Julien
sferoz
Staff
Staff

Good Day,

Thank you for using the Community Forum.

Kindly note, this is an expected behavior for FortiOS 7.2.4. When the Interface role is LAN, the OS will enable the 'creating address object matching subnet' option.

The address is automatically created.

For example, if a port3 interface changed from 192.168.1.0/24 to 172.16.10.0/23, the address 'port3-subnet' should change accordingly, therefore, any policies using that address should automatically be applied to the right subnet.

You can just leave the address created on the address group and you can use your own addresses if you want to.


Ref:
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/259467/interface-subnet

Thanks,

Feroz

Julien87

Hi Feroz,

 

thanks for this reply, for information, the renamed object is also modified when changing the address on the interface. good news ;)

 

Best regards,

 

 

Julien
Julien
AntSmith

Thanks for this update.  The problem this has caused is FortiGates in Azure deployed in HA are now showing as Out of Sync.  Interfaces in an Azure HA have different IP addresses on each HA unit.  So when this is auto created, the value is different on each HA unit, causing the HA to be out of sync because the address objects have different values.

The only way around this is to move the interface back to undefined or restore the ability to disable the auto create object.

bock_samson

Well this is super obnoxious and just gets in the way, the old way was much better when it was optional. 

 

we manage all our fortigate using a fortimanager and now i'm getting all these redundant address objects to deal with. I wouldn't mind if I could edit the name to fit our standard when its created but that isn't allowed so now this is just creating more admin overhead I have to deal with

jkassner
New Contributor II

Sidenote hint:

 

When you create a Tunnel Mode SSID the Subnet is created automatically.

You are not longer able to delete the Tunnel-Mode SSID via the Wireless-Controller Section.

You have to delete this SSID (Interface) from the Networks Interfaces section because of the created subnet object...

 

We all love GUI developers.. don´t we :D

______________________________________________________
Have you tried turning diag deb off and on again :D
______________________________________________________Have you tried turning diag deb off and on again :D
Piteball
New Contributor

I would be fine with this default behaviour, as long as there was a way to define the naming scheme of the automatically created address objects.

 

We already have a set standard for naming of address objects according to n_customershortname-sitex.networktype_subnet. For example n_abc-xyz1.clnt01_x.x.x.x/x. This way we don't really have to name firewall rules as just the address objects themselves tells me what traffic is affected by the rule just by looking at the policy view.

nsandone
New Contributor

I see no reason why this needs to be hardset like this.   Creating an address object is not always required especially if creating a Layer2 only VLAN.   I'm being forced to change the role to undefined now which will cause the Security Rating option to complain about it.   We should have the option to disable this.       

Dustin_H
New Contributor

Forcing the creation of address objects is not good. Who does this help? If someone doesn't know what they're doing, they'll use the default object. If someone does know what they are doing, let them manage their own address objects.

 

Looks like I'll be setting the interfaces to undefined to keep my address objects clean and organized. At least, until that option is taken away as well.

Labels
Top Kudoed Authors