Description
The FortiGate unit matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a "regular" DENY firewall policy, the VIP traffic will still be able to go through.
Scope
DENY firewall policy
Solution
#config firewall policy
|
Note: In FortiOS v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy When the ACTION of the policy is set to DENY.