Hi guys,
I would like to change the Interface of the object which is already associated with firewall policy.
Kindly help me on this !!!
thanks in advance !!!
Regards,
Sridhar S
what kind of object? address and VIP has interface binding restriction with policy
Thanks
Simon
Hi Simon,
thanks for the reply.
I mean the server (ex: Proxy_1 (10.2.30.40)), existing Proxy_1 object in the fortimanager is mapped with different interface than the firewall which is about to import the policy. this will create a interface conflict. So I would like to change the interface of the object in both the Fortimanager and Firewall to "ANY".
But when I tried on fortimanager, couldn't change, since this object is used in fortimanagers other firewalls.
How to cahge this interface when it is already in use.
Thanks in advance !!!
Regards,
Sridhar S
if that object conflict is for address associated-interface
may have 2 methods
1. create a CLI script to run on package db, to change interface to "any" for FMG ADOM db config
config firewall address edit "test111" unset associated-interface end
and you should see below install changes for existing FMG policy packages to your FGTs (will trigger a delete and re-add of that address using policy)
Starting log (Run on device)
Start installing
v8c $ config firewall policy
v8c (policy) $ delete 22
v8c (policy) $ end
v8c $ config firewall address
v8c (address) $ edit "test1111"
v8c (test1111) $ unset associated-interface
v8c (test1111) $ next
v8c (address) $ end
v8c $ config firewall policy
v8c (policy) $ edit 22
new entry '22' added
v8c (22) $ set uuid 3a42300e-ef8c-51e5-329c-a4c8cd208b48
v8c (22) $ set srcintf "port3"
v8c (22) $ set dstintf "111"
v8c (22) $ set srcaddr "test1111"
v8c (22) $ set dstaddr "aaaa"
v8c (22) $ set action accept
v8c (22) $ set schedule "always"
v8c (22) $ set service "ALL"
v8c (22) $ next
v8c (policy) $ end
---> generating verification report
<--- done generating verification report
install finished
2. try to re-name FGT object to a different name so avoid conflict with existing FMG ADOM db config
Thanks
Simon
An easier suggestion would be to create a new object related to the interface you wish and just go through all the related policies and replace the 'bad' one. A bit more cumbersome, but no reboot required.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
When the Object is involved with any of the firewall policy, not able to UNSET the interface.
Any other ways to do it ?
This is the core problem with FortiManager imho - There is no easy re-use of object definitions across vdoms that will honor the interfacing it's being moved to. Meaning, the only way to re-use definitions across vdoms is to assign it to the interface 'any' which then disables certain features, or you risk big problems using definitions meant for interfaces not associated with a vdom.
For every object definition tied to an interface on a vdom, I have to specifically prepend it's identity to guarantee it won't get confused with another similar definition being used on another vdom in the same manner. EXTRA WORK. If you peered into my Fortimanager setup there would be a separate Google-8.8.8.8 definition for each vdom it manages. What a pain!
Am I the only administrator that finds this painful?
What I'm hoping here is that I've missed something that someone can point out (that doesn't involve a workaround, but beggars can't be choosers), and then I'm happy to change this post to a mea culpa.
TO be sure, 'what I want' is to be able to roll out a single address object definition to a group of vdoms, specifying it should go on their external ('wan') interfaces, and it honors that... and doesn't get confused if I have to re-import those vdoms at a later date.
User | Count |
---|---|
2674 | |
1410 | |
810 | |
702 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.