Is there any reason that anyone knows why VIPG's are not nestable?
Address Groups are nestable. I can create an Address, add it to an address group, and have that address group a member of a master address group that is set up on an outbound policy.
I want to do the same on an inbound policy with a VIP Group.
My use case is relatively simple - we run a multi tenant environment of somewhat standardised services, and I always prefer the other admins to edit group membership not policies. That way, it's less likely that a wayward change is made to a policy, and typically the most impact of an accidental action is to open additional ports up to servers that aren't listening to those ports anyway.... our structure would be Tenant-VIP is a member of tenant-vipgrp which is a member of service-vipgrp, and service-vipgrp is used on the policy. A new tenant using a service just requires adding their tenant-vipgrp to the service-vipgrp. That's safer in my view than having to crack open the policy and add the tenant's vipgrp there, and it matches exactly what we do with outbound services.
Solved! Go to Solution.
You probably want to request an NFR (New Feature Request) through your Fortinet SE. I've not had the best luck with NFRs, but I have had them actually get implemented (1.5 years after the request for one of them).
anyone with suggestions how to raise a bug here ? OK, maybe not so much a bug, but a bad design that needs fixing :)
And anyone with comments on my use case scenario and my views on the admin tasks?
You probably want to request an NFR (New Feature Request) through your Fortinet SE. I've not had the best luck with NFRs, but I have had them actually get implemented (1.5 years after the request for one of them).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.