| Description | This article describes what happens to traffic if the 'none' object is set as the source on a firewall policy. |
| Scope | FortiGate. |
| Solution |
On the FortiGate, there exists an object called 'none' under Source and Destination settings of a firewall policy. This object is not widely used on policies in general, and it is an address object that does not match any IP address. If on a firewall policy, 'none' is used as a source or destination, this firewall policy will never be matched.
On the following example, there is a simple firewall policy configured with an address object assigned as Source:
The traffic for the device defined as source will hit this policy and get accepted. However, if the source is changed to 'none' as seen below, the traffic will hit the Implicit Deny Policy ID 0 and be dropped:
The traffic logs are shown below:
The requests will still arrive from the IP of the machine connected to the firewall (covered in this screenshot), but the traffic will be denied.
The default value of 'none' is 0.0.0.0/32:
However, this value can be changed. For example, it can be changed to 0.0.0.0/0.0.0.0. In this scenario, all of the IP addresses will be included in this subnet, and the requests coming to the FortiGate will all be accepted. |
