Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy
Description
This article describes a scenario where the firewall does not block the incoming WAN to LAN connection for a specific IP even though a deny policy is configured.
There is an inbound NAT to access an internal web server from an external network but we wish to block one specific external IP from accessing it.
Even though a deny policy is configured above the allowed policy with the source as the IP of the external client, still it does not trigger the firewall policy.
There is an inbound NAT to access an internal web server from an external network but we wish to block one specific external IP from accessing it.
Even though a deny policy is configured above the allowed policy with the source as the IP of the external client, still it does not trigger the firewall policy.
Solution
VIP:
In this case, try to deny access to the web server from IP 172.26.48.75.
In this case, try to deny access to the web server from IP 172.26.48.75.
- Select Policy & Objects -> Firewall Policy.
- Select or create the policy.
Configuring a firewall deny policy as shown in the following screenshot will not block the traffic from the external IP even though placed at the top, and taking the highest priority.
After enabling the above option, the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.
Or:
Always configure the deny policy: 
Related articles:
In the following screenshot it is possible to see that even though the deny policy is at the top taking the highest priority and specified with the right source IP, the policy is not getting hit, as a result, the traffic from the denied source is still allowed by the second firewall policy.
To block the traffic from the denied source, it is necessary to edit the denied firewall policy from the CLI and run the following command:
set match-vip enable
To edit the deny policy using the CLI run the following command:
config firewall policy
edit <policy-id>
set match-vip enable
end
set match-vip enable
end
Note: The destination address of the deny policy should match the VIP address. If it has been set to the normal local server IP address, use the following CLI to enable match-vip in the deny policy:
set match-vip enable
The match-vip option is disabled by default until v7.2.3. In versions after 7.2.3, the option is enabled by default.
The 'set match-vip' option is only available if the policy action is set to 'deny'.
After enabling the above option, the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.
Or:
Always configure the deny policy:
- Select Policy & Objects -> Firewall Policy.
- Select or create the policy with the destination address as the VIP for which traffic is denied instead of 'All'.
Related articles:
- Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination
-
Technical Tip: Configure firewall policies for a VIP when Central NAT is enabled
- Changes in default behavior of match-vip - FortiOS 6.4.3 release notes
- Technical Tip: Using Virtual IPs to configure port forwarding