FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
The FortiGate unit matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a "regular" DENY firewall policy, the VIP traffic will still be able to go through.
DENY firewall policy
There are basically two options to handle this situation:
1. Specify the "Action" as DENY on a firewall policy that is specifically created for the VIP that is to be blocked, or
2. Configure the "match-vip" option for the DENY firewall policy in CLI:
#config firewall policy edit <fw_policy_id> set srcintf "portx" set dstintf "porty" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set match-vip enable next end
Note: In FortiOS v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy When the ACTION of the policy is set to DENY.