We have a requirement to add multiple interface ports in Access Policies. Is it ok or are there any issues observed like address spoofing , or any routing issue or its perfectly fine to add multiple interface in source and destination part of the access policies for same set of source and destination IP subnets ? #300D #MultipleInterface
The Java programming language supports multiple inheritance of type, which is the ability of a class to implement more than one interface. An object can have multiple types: the type of its own class and the types of all the interfaces that the class implements.
As an example, if you have one policy from lan interface to two destination interfaces, dmz, and voice, with two destination addresses, dmz-range and voice-range
-> FortiGate will allow access from lan to dmz-range and voice-range
-> FortiGate will route traffic to dmz-range and voice-range per its routing table, and not start sending traffic for voice-range to the dmz interface even though technically the policy would allow it.
You can enable multiple interface policies under System > Feature Visibility, but do note that enabling this will disable the interface-pair view in policies (all policies from lan to dmz under one heading, all policies from lan to voice under another heading).
If you have a large number of policies, the result can be somewhat confusing.
You can have a look as to how the policies would display by switching to 'By Sequence' in the upper right corner of your policy view.
If you find the policies difficult to navigate, zones may in fact be the better solution. The same applies there - FortiGate will route traffic per its routing table, even if policies technically allow for different flow.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.