Hi FG admins
I have two FortiGates:
On 7.0.15 and 6.2.x, when I try create two identical VIPs (same external IP and same port), it denies it and shows a red message:
"Conflicts with the External IP of another VIP"
Same for VS:
"Duplicate entry found"
So far all is fine and life is good.
But on my 7.2.8 it is doable and without any error message.
Duplicate VIP:
Duplicate VS:
Checked with CLI and I can see it is actually created.
Can someone reassure me that this is a known bug? Or is it a new feature on 7.2.x that I don't understand how it works?
Ok it is a new feature on 7.2
768820 Remove overlap check for VIPs so there are no constraints when configuring multiple
VIPs with the same external interface and IP. Instead, a new security rating report
will alert users of any VIP overlaps.
But how does it work? Which VIP one will actually work? I guess not both, right?
Hey AEK,
as I understand it, the overlap check was removed because it caused issues for VIPs with same external IP/port, but different protocols (FortiGate wouldn't allow identical VIPs if one is for TCP, the other for UDP, for example).
As to what VIP is matched, this should depend on the firewall policies the VIPs are in - the firewall policies could be configured with source address filters, for example, so only specific traffic can match into a specific VIP. As long as a cloned VIP is not used, it doesn't do anything, and if you do add it to a policy, then it will simply translate the IPs if that policy is matched by incoming traffic.
Cheers,
Debbie
Thanks Debbie. It makes sense.. But I'll try perform more tests to understand the whole thing.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.