I have recently setup several fortigate 90D's and a few 200D's with OSPF. The are all connected via a VPLS solution.
the OSPF interface is wan1. The internal network is a port 3 or internal (a named interface) they also have a separate interface on them ie: WAN2. I setup OSPF on the VPLS side for all of them then a single OSPF interface. I then advertise the separate network connected to each site on the internal side. I don't have the internal interface setup with OSPF. It all worked fine. I noticed that if i setup a router in one of the networks behind the firewall (on the internal side) with OSPF it creates an OSPF adjacency! This should not happen! This interface is not configured for OSPF! I then tried to set the passive-interface option in OSPF and it only lets you have one passive interface? I'm running 5.2.7 on these firewalls. I should be able to make more than one interface passive for ospf!
Yes is did restart the firewall. I did find that you can just add all the interfaces to the passive-interface command and that will work just fine. I believe the bug is that its advertising multicast packets out interfaces that are not configured for ospf! the networks included in the ospf command are for advertisements not for neighbor adjacencies.
The work around by adding all the interfaces via the passive-interface command is a not a correct solution for a secure network. The interface should not be taking any part of the ospf network process. I will submit this to TAC for further review..
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.