Deny policy for specific services, while allowing others?

Forum|Forum|4 years ago
January 15, 2022
2 replies
3411 views

Hello All,

I was looking for a little clarity on the behavior of using a deny policy. The goal is to deny a subnets outbound traffic to a specific service, for example http. When you set the action to deny http does that same policy implicitly "allow" all other services?

FortiGate

Best answer by yigiton

Hello

If the action is deny in policy, it will deny all traffic matching the policy.

You should create a new separate policy to allow other traffics.

yigitonAnswer

New Member

Hello

If the action is deny in policy, it will deny all traffic matching the policy.

You should create a new separate policy to allow other traffics.

GoodGameOKCAuthor

New Member

Thank you for the response. I'm still unclear of the yes or no to the question. You stated it will deny all traffic matching the policy. The policy is to deny Http, say traffic for tcp 1514 hits the policy, will the action be the allow it because it's not http?

yigiton

New Member

Hi

tcp-1514 traffic will not match the policy, because of service is http in the policy. All criteria should be matched.

you should write two policies to deny http and permit tcp1514 :

policy1: source:X, dest:Y, service:http, action:deny --> this will only deny http and tcp-1514 will not match this policy1. it will take action for tcp-1514

policy2: source:X, dest:Y, service:tcp-1514, action:permit

GoodGameOKCAuthor

New Member

Okay, that's what I was inquiring about is there an implicit "allow" in the deny policy because the traffic wasn't the deny http traffic. The logic makes scenes just wasn't totally clear.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded