Description
This article describes how the FortiGate matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a 'regular' DENY firewall policy, the VIP traffic will still be able to go through.
Scope
VIP DENY firewall policy.
Solution
There are two options to handle this situation:
- Specify the 'Action' as DENY on a firewall policy specifically created for the VIP object(s) that must be blocked.
For example:
GUI.
From CLI:
config firewall policy
edit 66
set name "BLOCK access to VIP"
set srcintf "x1"
set dstintf "any"
set srcaddr "all"
set dstaddr "VM - FortiManager - TCP 541" <-- Specify VIP object(s) that needs to be blocked.
set action deny
set schedule "always"
set service "ALL"
set logtraffic all
set comments "DENY access to VIP"
next
end
Or:
- Configure the 'match-vip' option for the DENY firewall policy in CLI:
config firewall policy
edit <fw_policy_id>
set srcintf "portx"
set dstintf "porty"
set srcaddr "all"
set dstaddr "all"
set action deny
set schedule "always"
set service "ALL"
set match-vip enable
next
end
Note:
- In v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy when the ACTION of the policy is set to DENY.
- The match-vip option is disabled by default until v7.2.3. After v7.2.3, the option is enabled by default.
