Policy order: any int to any int or specific interface pair

Forum|Forum|2 years ago
February 15, 2024
2 replies
1583 views

Please let me make sure the order a FGT examine policies.
If there is a specific policy from a specific interface like "lan" to another specific interface like "wan1" with "any" source and "any" destination, it would be examined before another policy from "any" interface for a specific source IP set to "any" interface for "any" destination, even if the source IP matches one of those specified. Right?

I just want to make sure my basic/fundamental understanding is correct.

Toshi

FortiGate

Best answer by Toshi_Esumi

I found the answer myself by moving the deny policy at the top in the sequence. It's now blocking.
So if "any" int->"any" int "deny" policy comes first before the specific interface pair allow policy, it would match the deny policy first.

Toshi

Toshi_EsumiAuthor

SuperUser

Or, unless the "any" int->"any" int "deny" policy is "placed in the sequence" before the specific int pair policy?

Toshi_EsumiAuthorAnswer

SuperUser

I found the answer myself by moving the deny policy at the top in the sequence. It's now blocking.
So if "any" int->"any" int "deny" policy comes first before the specific interface pair allow policy, it would match the deny policy first.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded