Hi All,
We have a requirement to add multiple interface ports in Access Policies. Is it ok or are there any issues observed like address spoofing , or any routing issue or its perfectly fine to add multiple interface in source and destination part of the access policies for same set of source and destination IP subnets ? #300D #MultipleInterface
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The Java programming language supports multiple inheritance of type, which is the ability of a class to implement more than one interface. An object can have multiple types: the type of its own class and the types of all the interfaces that the class implements.
if it is different interfaces then I would recommend to add them all to one zone. Then you just need access policies that use the zone as destination or source interface.
Makes life much more easier :)
The only caveat is that the interfaces themselves can no longer be used in policies on their own once added to a zone. And you have to remove all references before you can add an interface to a zone.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hey INF1,
in principle, routing is separate from policies.
As an example, if you have one policy from lan interface to two destination interfaces, dmz, and voice, with two destination addresses, dmz-range and voice-range
-> FortiGate will allow access from lan to dmz-range and voice-range
-> FortiGate will route traffic to dmz-range and voice-range per its routing table, and not start sending traffic for voice-range to the dmz interface even though technically the policy would allow it.
You can enable multiple interface policies under System > Feature Visibility, but do note that enabling this will disable the interface-pair view in policies (all policies from lan to dmz under one heading, all policies from lan to voice under another heading).
If you have a large number of policies, the result can be somewhat confusing.
You can have a look as to how the policies would display by switching to 'By Sequence' in the upper right corner of your policy view.
If you find the policies difficult to navigate, zones may in fact be the better solution. The same applies there - FortiGate will route traffic per its routing table, even if policies technically allow for different flow.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.