topic Re: Not defined interface topology in Firewall and Security Management

Not defined interface topology

Moudar — Tue, 18 Nov 2025 13:31:03 GMT

Under any interface topology settings we have the option This network (internal), IP addresses behind this interface: Not defined.

According to the admin guide:

Not Defined - All IP addresses behind this interface are considered a part of the internal network that connects to this interface

But if i choose that and try to install the policy i get:

What do i miss here?

In what case should you use that (no defined) option in production networks?

Re: Not defined interface topology

the_rock — Tue, 18 Nov 2025 13:46:59 GMT

Can you send a screenshot of how its defined?

Re: Not defined interface topology

Moudar — Tue, 18 Nov 2025 13:59:26 GMT

Re: Not defined interface topology

the_rock — Tue, 18 Nov 2025 14:14:00 GMT

Just tried in the lab, no matter what options I test with non defined, it always fails. I assume must be expected behavior, but not 100% sure.

Re: Not defined interface topology

the_rock — Tue, 18 Nov 2025 15:15:16 GMT

Hey mate,

I just worked with TAC on another endpoint issue and mentioned this to the lady I spoke with and she checked with her colleague and indeed confirmed this is expected behavior and they will request documentation be updated, as it does give an impression it should work, but since it expects some some sort of correct topology defined, wording "not defined" would implicate for that not to happen, though it states it would be everything behind that interface.

Re: Not defined interface topology

Moudar — Tue, 18 Nov 2025 15:18:37 GMT

That answer will suffice for now, as I mainly wanted to understand why it behaves that way (failing to install the policy).
The documentation should be updated as well, because it’s the foundation of our knowledge, my friend.

Re: Not defined interface topology

the_rock — Tue, 18 Nov 2025 15:20:03 GMT

Re: Not defined interface topology

Moudar — Tue, 18 Nov 2025 15:21:40 GMT

and that leave me wonder what is the usage of "not defined", i mean what use case in production or in lab?

Re: Not defined interface topology

the_rock — Tue, 18 Nov 2025 15:22:39 GMT

To me, suppose no real use, honestly.

Re: Not defined interface topology

emmap — Wed, 19 Nov 2025 01:24:39 GMT

I think there just needs to be a default setting, and picking one of the other options could compromise security as it wouldn't be a default deny configuration.

Re: Not defined interface topology

the_rock — Wed, 19 Nov 2025 01:31:45 GMT

Makes total sense to me , Emma. It would be cool if there was a pop up if customers picked the less secure option warning them about it. Maybe too much to ask for, but just an idea.

Re: Not defined interface topology

emmap — Wed, 19 Nov 2025 04:35:33 GMT

The other options aren't necessarily less secure, there's not really anything that needs popping up so much as it just needs configuring properly. If anti-spoofing is disabled then it's less secure, and in that case a warning is added to the policy install outcome.

Re: Not defined interface topology

the_rock — Wed, 19 Nov 2025 04:39:29 GMT

Personally, and I also advise customers to do the same, I find defined by routes the best option, because if topology does change, no need to update anything manually for given interface.