Allow me to outline for you a nightmare scenario...
You're using BGP for routing, with a wholly separate netblock for those links.
You have a few (let's say 6-7) AD servers doing LDAP authentication across the company VPN, and you'd like to actually leverage that redundancy.
Address auto-selection based on the interface for binds to 0.0.0.0 is definitely a thing, and you're just not allowing those BGP-wrangled interfaces to talk directly with any other netblocks.
You have a Fortimanager and need to configure over a hundred devices for this, when each and every one will default to using the BGP-provided address bound to the VPN interface to make outbound connections within the VPN network.
Without more metavariable support, the Fortimanager is now a liability. You may eventually figure out that CLI templates (which do support metavariables) will allow you a somewhat ugly way to slap the definitions of the AD servers into all these devices (which seems like it will be a fragile way to go, since the Fortimanager won't really have any way to store this back in its database, and does not create new per-device entries if you try to pastebomb these all into place and then pull the results back into the Fortigate). To do this using the Fortimanager in what seems to be a "proper" way, you have to define each of the LDAP servers, then create a per-device setting for each and every Fortigate for each of the LDAP servers, including setting more than a half dozen things each time. Note again that there is still no global setting for overriding source-address autoselection.
Getting this task completed will require easily over 20,000 mouseclicks, and is something only professional Korean Starcraft players might consider pleasurable. With metavariable support, one can declare a metavariable named something pithy like "PrimaryIP" and just bang that in once for each Fortigate, and simply stick "$(PrivateIP)" into the relevant advanced options field. Now you no longer need to create per-device instances of every AD server for every Fortigate because the Fortimanager is now doing the thing you licenced it for in the first place instead of just writing it all yourself with some perl scripts and Expect.pm.
...also please explain to some of your devs what XSS actually is and how to properly escape string sequences. Seeing the CLI interfaces complain about item names with whitespace or dollar sign characters is deeply disturbing and seems like a tacit admission that more CVEs are just waiting to be written. Now I'm actually concerned that ' has stopped showing up in strange places.
To efficiently configure over a hundred devices for LDAP authentication across the company VPN using BGP-provided addresses, the FortiManager currently lacks metavariable support, making the task cumbersome and time-consuming. Without this support, the process involves defining each LDAP server, creating per-device settings for each FortiGate, and manually setting multiple parameters, resulting in over 20,000 mouse clicks. Utilizing CLI templates with metavariables could be a workaround, but not ideal due to limitations in storing data back in the FortiManager database. Implementing metavariable support would streamline the configuration process by allowing the declaration of variables like "primaryip" to simplify settings across devices, reducing manual effort and potential errors significantly. Additionally, addressing concerns about item names with special characters in CLI interfaces is crucial to prevent vulnerabilities like XSS and ensure secure configurations.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1751 | |
1114 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.