Created on
11-02-2011
01:37 AM
Edited on
07-04-2025
05:10 AM
By
Anthony_E
Description
This article describes how the FortiGate matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a 'regular' DENY firewall policy, the VIP traffic will still be able to go through.
Scope
VIP DENY firewall policy.
Solution
A regular deny policy does not block VIP traffic due to the way the FortiGate processes packets. When a packet is destined for a VIP, Destination NAT (DNAT) is applied before the firewall policy check. This means the packet is already translated to the VIP's mapped IP before FortiGate evaluates the policies. As a result, a deny policy with the destination set to “All” or the original IP will not match the translated traffic, and the traffic will bypass the policy.
For example:
GUI.
From CLI:
config firewall policy
edit 66
set name "BLOCK access to VIP"
set srcintf "x1"
set dstintf "any"
set srcaddr "all"
set dstaddr "VM - FortiManager - TCP 541" <-- Specify VIP object(s) that needs to be blocked.
set action deny
set schedule "always"
set service "ALL"
set logtraffic all
set comments "DENY access to VIP"
next
end
Or:
config firewall policy
edit <fw_policy_id>
set srcintf "portx"
set dstintf "porty"
set srcaddr "all"
set dstaddr "all"
set action deny
set schedule "always"
set service "ALL"
set match-vip enable
next
end
Note:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.