Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
the_rock
New Contributor III

VIP object with interface set as "any"

Hey guys,

 

Can anyone please confirm if using VIP objects set with interface "any" is the issue? I talked to TAC and they are not sure, though fortinet guru site shows it should be fine.

 

Any feedback is appreciated.

AB
AB
1 Solution
Jackstorm
New Contributor II

Use any in VIP is fine, we also haven’t specific interface in VIP. 


Lucas

View solution in original post

Lucas
6 REPLIES 6
R_F
Contributor

not sure the result of using any as interface. since then I work with FG I often using specific interfaces for my src and dst most esp on VIP/DNAT.

 

Any Any interfaces if I have multiple vlans inside my FG to eliminate recreating handlfull of vlans rules. :)

Jackstorm
New Contributor II

Use any in VIP is fine, we also haven’t specific interface in VIP. 


Lucas
Lucas
Yurisk
SuperUser
SuperUser

Security-wise it bears no meaning to use Any or specific interface, it just binds this object to be used on a specific interface to may be prevent someone from configuring VIP on the wrong interface and then wondering why it is not working (my personal idea of it). 

 

I always set it to Any. Actually, in the case of multiple ISPs, when external IP used in VIP is your own, advertised via BGP to providers, you have to leave VIP as Any or failover/configuring the same VIP for both IPS connections would not work.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
the_rock
New Contributor III

Thanks guys for responding...support also got back to me saying it should be fine. Im just bit worried, since we are converting to Fortinet from another vendor and there are lots of NAT rules we had to move over, so this is very critical to work right.

AB
AB
Jackstorm
New Contributor II

If you have huge amont VIPS, like 2K-3K VIP, set interface will optimize the performace, it will help traffice match the related interface, hope it help.


Lucas
Lucas
the_rock
New Contributor III

I cant recall now how many there were, but I believe about 250 or so.

AB
AB
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors