Technical Tip: DENY policy for Virtual IP firewall policy

Description

This article describes how the FortiGate matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a 'regular' DENY firewall policy, the VIP traffic will still be able to go through.

Scope

VIP DENY firewall policy.

Solution

A regular deny policy does not block VIP traffic due to the way the FortiGate processes packets. When a packet is destined for a VIP, Destination NAT (DNAT) is applied before the firewall policy check. This means the packet is already translated to the VIP's mapped IP before FortiGate evaluates the policies. As a result, a deny policy with the destination set to 'All' or the original IP will not match the translated traffic, and the traffic will bypass the policy.

1. Specify the 'Action' as DENY on a firewall policy specifically created for the VIP object(s) that must be blocked.

For example:
GUI.

From CLI:

config firewall policy

    edit 66

        set name "BLOCK access to VIP"

        set srcintf "x1"

        set dstintf "any"

        set srcaddr "all"

        set dstaddr "VM - FortiManager - TCP 541"          <-- Specify VIP object(s) that needs to be blocked.

        set action deny

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set comments "DENY access to VIP"

    next

end

Note: However, starting from version 7.2.3 and above, due to a default behavior change of the 'match-vip' option to 'enable' will be applicable to the VIP Deny firewall policy as well, and in this case, it is recommended to change it to 'disable' on the 'VIP Deny policy' to avoid any conflicts in the traffic processing.

Or:

2. Configure the 'match-vip' option for the All/All DENY firewall policy in CLI:

config firewall policy
    edit <fw_policy_id>
        set srcintf "portx"
        set dstintf "porty"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
        set match-vip enable
    next
end

Notes:

• In v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy when the ACTION of the policy is set to DENY.
• The match-vip option is disabled by default until v7.2.3. After v7.2.3, the option is enabled by default.
• The destination address of the deny policy should be set to the VIP address. If it is set to the normal local server IP address or 'all' use the CLI to enable match-vip ('set match-vip enable') in the deny policy.