FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
APAC_Beta_FTNT
Article Id 192456

Description

 

This article describes how the FortiGate matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a 'regular' DENY firewall policy, the VIP traffic will still be able to go through.


Scope

 

VIP DENY firewall policy.


Solution


A regular deny policy does not block VIP traffic due to the way the FortiGate processes packets. When a packet is destined for a VIP, Destination NAT (DNAT) is applied before the firewall policy check. This means the packet is already translated to the VIP's mapped IP before FortiGate evaluates the policies. As a result, a deny policy with the destination set to “All” or the original IP will not match the translated traffic, and the traffic will bypass the policy.

 

There are two options to handle this situation:
 
  1. Specify the 'Action' as DENY on a firewall policy specifically created for the VIP object(s) that must be blocked.

 

For example:
GUI.

 
 
 

VIP.png


From CLI:

config firewall policy

    edit 66

        set name "BLOCK access to VIP"

        set srcintf "x1"

        set dstintf "any"

        set srcaddr "all"

        set dstaddr "VM - FortiManager - TCP 541"          <-- Specify VIP object(s) that needs to be blocked.

        set action deny

        set schedule "always"

        set service "ALL"

        set logtraffic all

        set comments "DENY access to VIP"

    next

end


Or:

 

  1. Configure the 'match-vip' option for the DENY firewall policy in CLI:

 

config firewall policy
    edit <fw_policy_id>
        set srcintf "portx"
        set dstintf "porty"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
        set match-vip enable
    next
end

 

Note:

  • In v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy when the ACTION of the policy is set to DENY.
  • The match-vip option is disabled by default until v7.2.3.  After v7.2.3, the option is enabled by default.