VIP object with interface set as "any"

the_rock · ‎12-17-2021

Hey guys,

Can anyone please confirm if using VIP objects set with interface "any" is the issue? I talked to TAC and they are not sure, though fortinet guru site shows it should be fine.

Any feedback is appreciated.

AB

Jackstorm · ‎12-18-2021

Use any in VIP is fine, we also haven’t specific interface in VIP.

Lucas

View solution in original post

R_F · ‎12-17-2021

not sure the result of using any as interface. since then I work with FG I often using specific interfaces for my src and dst most esp on VIP/DNAT.

Any Any interfaces if I have multiple vlans inside my FG to eliminate recreating handlfull of vlans rules. :)

Jackstorm · ‎12-18-2021

Use any in VIP is fine, we also haven’t specific interface in VIP.

Lucas

Yurisk · ‎12-19-2021

Security-wise it bears no meaning to use Any or specific interface, it just binds this object to be used on a specific interface to may be prevent someone from configuring VIP on the wrong interface and then wondering why it is not working (my personal idea of it).

I always set it to Any. Actually, in the case of multiple ISPs, when external IP used in VIP is your own, advertised via BGP to providers, you have to leave VIP as Any or failover/configuring the same VIP for both IPS connections would not work.

Yuri Slobodyanyuk

the_rock · ‎12-19-2021

Thanks guys for responding...support also got back to me saying it should be fine. Im just bit worried, since we are converting to Fortinet from another vendor and there are lots of NAT rules we had to move over, so this is very critical to work right.

AB

Jackstorm · ‎12-19-2021

If you have huge amont VIPS, like 2K-3K VIP, set interface will optimize the performace, it will help traffice match the related interface, hope it help.

Lucas

the_rock · ‎12-29-2021

I cant recall now how many there were, but I believe about 250 or so.

AB

VIP object with interface set as "any"

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website