Helpful ReplyHot!Why are VIP Groups not the same as Address Groups (nesting)

Author
poundy
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/13 20:58:45
  • Status: offline
2020/01/13 17:10:20 (permalink)
0

Why are VIP Groups not the same as Address Groups (nesting)

Is there any reason that anyone knows why VIPG's are not nestable? 
Address Groups are nestable. I can create an Address, add it to an address group, and have that address group a member of a master address group that is set up on an outbound policy.
I want to do the same on an inbound policy with a VIP Group. 
 
My use case is relatively simple - we run a multi tenant environment of somewhat standardised services, and I always prefer the other admins to edit group membership not policies.  That way, it's less likely that a wayward change is made to a policy, and typically the most impact of an accidental action is to open additional ports up to servers that aren't listening to those ports anyway.... our structure would be Tenant-VIP is a member of tenant-vipgrp which is a member of service-vipgrp, and service-vipgrp is used on the policy.  A new tenant using a service just requires adding their tenant-vipgrp to the service-vipgrp.  That's safer in my view than having to crack open the policy and add the tenant's vipgrp there, and it matches exactly what we do with outbound services.
 
#1
poundy
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/13 20:58:45
  • Status: offline
Re: Why are VIP Groups not the same as Address Groups (nesting) 2020/02/28 02:22:39 (permalink)
0
anyone with suggestions how to raise a bug here ?  OK, maybe not so much a bug, but a bad design that needs fixing :)
 
And anyone with comments on my use case scenario and my views on the admin tasks?
 
#2
tanr
Platinum Member
  • Total Posts : 764
  • Scores: 34
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Why are VIP Groups not the same as Address Groups (nesting) 2020/02/28 09:52:08 (permalink) ☄ Helpfulby poundy 2020/02/28 16:16:12
0
You probably want to request an NFR (New Feature Request) through your Fortinet SE.  I've not had the best luck with NFRs, but I have had them actually get implemented (1.5 years after the request for one of them).
#3
Jump to:
© 2020 APG vNext Commercial Version 5.5