Description
This article describes how the FortiGate matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a 'regular' DENY firewall policy, the VIP traffic will still be able to go through.
Scope
VIP DENY firewall policy.
Solution
A regular deny policy does not block VIP traffic due to the way the FortiGate processes packets. When a packet is destined for a VIP, Destination NAT (DNAT) is applied before the firewall policy check. This means the packet is already translated to the VIP's mapped IP before FortiGate evaluates the policies. As a result, a deny policy with the destination set to “All” or the original IP will not match the translated traffic, and the traffic will bypass the policy.
There are two options to handle this situation:
- Specify the 'Action' as DENY on a firewall policy specifically created for the VIP object(s) that must be blocked.
For example:
GUI.
From CLI:
config firewall policy
edit 66
set name "BLOCK access to VIP"
set srcintf "x1"
set dstintf "any"
set srcaddr "all"
set dstaddr "VM - FortiManager - TCP 541" <-- Specify VIP object(s) that needs to be blocked.
set action deny
set schedule "always"
set service "ALL"
set logtraffic all
set comments "DENY access to VIP"
next
end
Or:
- Configure the 'match-vip' option for the DENY firewall policy in CLI:
config firewall policy
edit <fw_policy_id>
set srcintf "portx"
set dstintf "porty"
set srcaddr "all"
set dstaddr "all"
set action deny
set schedule "always"
set service "ALL"
set match-vip enable
next
end
Note:
- In v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy when the ACTION of the policy is set to DENY.
- The match-vip option is disabled by default until v7.2.3. After v7.2.3, the option is enabled by default.
