Technical Tip: Local In Policy VS Virtual IP Policy

According to Packet Life in FortiGate, Destination NAT takes effect at the beginning of the packet process. In the FortiGate kernel, packets are processed in the following order:

1. DNAT (Virtual IP).
2. Routing.
3. Policy lookup.
4. Session helper.
5. User authentication.
6. Device identification.
7. SSL VPN.
8. Local management traffic.

A local policy with an 'action deny' will not deny traffic allowed by a VIP policy because when the local policy takes effect, the VIP policy has already allowed the traffic.  

To resolve the issue.

1. Create a GEO address object.
2. Create a firewall policy and select the source address of the 'GEO address' object.
3. Select the destination VIP.
4. Select the action deny in the policy.
5. Put it on top of the VIP allow policy to block the source GEO block address.

Note:

• The destination address of the deny policy should be set to the VIP address, if set to the normal local server IP address, use CLI to enable match-vip 'set match-vip enable' in the deny policy.
• The match-vip option is disabled by default until v7.2.3. In versions after 7.2.3, the option is enabled by default.
• The 'set match-vip' option is only available if the policy action is set to 'deny'. 
  
  

Local-in policy: controls traffic to FortiGate itself.

Examples added:

• HTTPS access to FortiGate.
• SSH access.
• SSL VPN access.
• SNMP access.

Firewall policy with VIP: controls traffic passing through FortiGate.

The following article explains how to configure block VIP access using the GEO location:

Technical Tip: How to block VIP access using GEO Location.

Related documents:

• Packet flow ingress and egress: FortiGates without network processor offloading
• Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy
  
• Technical Tip: Local In Policy VS Virtual IP Policy
  
• Technical Tip: Using Virtual IPs to configure port forwarding