FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 189641
This article describes a scenario where the firewall does not block the incoming WAN to LAN connection for a specific IP even though a deny policy is configured.

There is an inbound NAT to access an internal web server from external network but we wish to block one specific external IP from accessing it.

Even though a deny policy is configured above the allowed policy with the source as the IP of the external client, still it does not trigger the firewall policy.


In this case we are trying to deny the access of web server from IP

Configuring a firewall deny policy as shown in the following screenshot will not block the traffic from the external IP even though placed at the top, and taking the highest priority.

In the below screenshot it is possible to see that even though the deny policy is at the top taking highest priority, and specified with the right source IP, the policy is not getting hit, as a result the traffic from the denied source is still allowed by the second firewall policy.

In order to block the traffic from the denied source, it is necessary to edit the denied firewall policy from the CLI and run the following command:
set match-vip enable

Since 6.4.3 it is only possible to use this option for DENY policies. It is not available anymore for ACCEPT policies (

After enabling the above option,the DNATed packets that are not matched by a VIP policy are matched with the general policy where they can be explicitly dropped and logged.


Always configure the deny policy with the destination address as the VIP for which traffic is denied instead of 'All'.