Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎05-22-2024 04:11 PM

Duplicated VIP and VS is possible on FOS 7.2.8?

Hi FG admins

I have two FortiGates:

  • 2 physical FG with FOS 7.0.15 and FOS 6.2.x
  • 1 FG VM with FOS 7.2.8

On 7.0.15 and 6.2.x, when I try create two identical VIPs (same external IP and same port), it denies it and shows a red message:

"Conflicts with the External IP of another VIP"

Same for VS:
"Duplicate entry found"

So far all is fine and life is good.

 

But on my 7.2.8 it is doable and without any error message.

Duplicate VIP:

vip.png

Duplicate VS:

vs.png

 

Checked with CLI and I can see it is actually created.

Can someone reassure me that this is a known bug? Or is it a new feature on 7.2.x that I don't understand how it works?

AEK
AEK
Labels:
300
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎05-22-2024 04:19 PM

Ok it is a new feature on 7.2

768820  Remove overlap check for VIPs so there are no constraints when configuring multiple
        VIPs with the same external interface and IP. Instead, a new security rating report
        will alert users of any VIP overlaps.

But how does it work? Which VIP one will actually work? I guess not both, right?

AEK
AEK
291
0 Kudos
Debbie_FTNT
Staff
Staff
In response to AEK

Created on ‎05-23-2024 07:46 AM

Hey AEK,

as I understand it, the overlap check was removed because it caused issues for VIPs with same external IP/port, but different protocols (FortiGate wouldn't allow identical VIPs if one is for TCP, the other for UDP, for example).

As to what VIP is matched, this should depend on the firewall policies the VIPs are in - the firewall policies could be configured with source address filters, for example, so only specific traffic can match into a specific VIP. As long as a cloned VIP is not used, it doesn't do anything, and if you do add it to a policy, then it will simply translate the IPs if that policy is matched by incoming traffic.

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
224
AEK
SuperUser
SuperUser
In response to Debbie_FTNT

Created on ‎05-23-2024 07:59 AM

Thanks Debbie. It makes sense.. But I'll try perform more tests to understand the whole thing.

AEK
AEK
219
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.