Explicit DENY ALL for inbound does not work

Forum|Forum|21 years ago
October 26, 2004
2 replies
1870 views

I am using V2.8 MR5 of Fortigate-400. I would like to log all the traffic hitting anything visible (routable) behind the firewall. Is there a way to enable the default " deny all" rule for the inbound traffic ? I' ve tried to give an explicit " deny all" rule (0.0.0.0/0.0.0.0 -> 0.0.0.0/0.0.0.0 ANY DENY) but it does not block or log anything. A fortinet engineer says because the rules on virtual IP address get matched first and therefore the explicit DENY ALL rule is bypassed. This sounds pretty unlogical to me. Any idea about this ? How can I make this work ? Thanks BB

mgoswami

Staff

Hi,

You might try to configure local in policy for inbound traffic.

Please refer to this link:
https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/363127/local-in-policies

BR,

Manosh

ede_pfau

SuperUser

Jeez, did anybody notice that this thread was started 19 years ago? Go Fortinet!

But, alas, this situation might still arise today, with FortiOS 6.x/7.x. You can find an explanation and a workaround in the KB using the keyword "match-vip". Will only be applicable in DENY policies from FOS 7.0 on.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LAN/ta-p/189641

and a post from this forum

https://community.fortinet.com/t5/Support-Forum/Match-vip-clarification-for-deny-rules/td-p/95228

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded