Description
This article describes a scenario where the firewall does not block the incoming WAN to LAN connection for a specific IP even though a deny policy is configured.
There is an inbound NAT to access an internal web server from an external network but we wish to block one specific external IP from accessing it.
Even though a deny policy is configured above the allowed policy with the source as the IP of the external client, still it does not trigger the firewall policy.
There is an inbound NAT to access an internal web server from an external network but we wish to block one specific external IP from accessing it.
Even though a deny policy is configured above the allowed policy with the source as the IP of the external client, still it does not trigger the firewall policy.
Solution
VIP:
In this case, try to deny access to the web server from IP 172.26.48.75.
Configuring a firewall deny policy as shown in the following screenshot will not block the traffic from the external IP even though placed at the top, and taking the highest priority.
In this case, try to deny access to the web server from IP 172.26.48.75.
Configuring a firewall deny policy as shown in the following screenshot will not block the traffic from the external IP even though placed at the top, and taking the highest priority.
In the below screenshot it is possible to see that even though the deny policy is at the top taking the highest priority and specified with the right source IP, the policy is not getting hit, as a result, the traffic from the denied source is still allowed by the second firewall policy.
To block the traffic from the denied source, it is necessary to edit the denied firewall policy from the CLI and run the following command:
set match-vip enable
To edit the deny policy using the CLI run the following command:
config firewall policy
edit <policy-id>
set match-vip enable
end
set match-vip enable
end
Note:
Since 6.4.3 it is only possible to use this option for DENY policies. It is not available anymore for ACCEPT policies (Changes in default behavior).
After enabling the above option, the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.
Or:
Always configure the deny policy with the destination address as the VIP for which traffic is denied instead of 'All'.
Since 6.4.3 it is only possible to use this option for DENY policies. It is not available anymore for ACCEPT policies (Changes in default behavior).
After enabling the above option, the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.
Or:
Always configure the deny policy with the destination address as the VIP for which traffic is denied instead of 'All'.
Starting from v7.2.3 and above, 'match-vip' is enabled by default.
