FortiManager Virtual IP Objects

Forum|Forum|5 years ago
May 2, 2021
1 reply
3841 views

Hey.

AFAIK, if I have a rule with "Virtual IP" object in its destination, and the action is "Accept" - if this rule matches, effectively the gateway performs destination NAT, translating the external IP in the associated "Virtual IP" object to the "Mapped IP" in the associated "Virtual IP" object.

What happens if the action of such rule is "Deny"? Is it even a valid configuration? It doesn't make sense to translate a packet's destination IP, and then drop it before forwarding it out. Thanks.

SJFriedl

New Member

Perhaps a reasonable use case for this could be preceding another rule that does an Accept All: block telnet, but allow everything else? I would imagine that the Fortigate would do the efficient thing and shortcut the parts of the NAT translation that were not needed.

udidAuthor

New Member

But if a rule matches (in our case, a rule with "Virtual IP" object and "Deny" action), subsequent rules aren't processed - or am I missing something?

SJFriedl

New Member

A rule that matches the Deny does stop processing, yes, but imagine this made-up scenario:

Rule #1: Source=Any Target=YourVIP Service=SSH Action=Deny

Rule #2: Source=Any Target=YourVIP Service=Any Action=Accept

Inbound traffic to port 22/tcp will match the first rule and be dropped, but inbound to any other service (say, http) will skip past the Deny and be accepted by rule #2

OR:

Rule #1: Source=BadGuy Target=YourVIP Service=http Action=Deny

Rule #2: Source=Any Target=YourVIP Service=http Action=Accept

This effectively blocks the bad guy from your service, allowing everybody else.

But if you just find the Deny without any of the related records, it could be superfluous.

Do you have a specific configuration you're looking at which you could share?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded