FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
APAC_Beta_FTNT
Article Id 192456

Description

 

This article describes how the FortiGate matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a 'regular' DENY firewall policy, the VIP traffic will still be able to go through.


Scope

 

VIP DENY firewall policy.


Solution

 

There are two options to handle this situation:
 
  1. Specify the 'Action' as DENY on a firewall policy specifically created for the VIP object(s) that must be blocked.

For example:
GUI.

 
 
 

VIP.png


From CLI:

config firewall policy

    edit 66

        set name "BLOCK access to VIP"

        set srcintf "x1"

        set dstintf "any"

        set srcaddr "all"

        set dstaddr "VM - FortiManager - TCP 541"          <-- Specify VIP object(s) that needs to be blocked.

        set action deny

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set comments "DENY access to VIP"

    next

end


Or:

 

  1. Configure the 'match-vip' option for the DENY firewall policy in CLI:

 

config firewall policy
    edit <fw_policy_id>
        set srcintf "portx"
        set dstintf "porty"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
        set match-vip enable
    next
end

 

Note:

  • In v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy when the ACTION of the policy is set to DENY.
  • The match-vip option is disabled by default until v7.2.3.  After v7.2.3, the option is enabled by default.