FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a scenario where the firewall does not block the incoming WAN to LAN connection for a specific IP even though a deny policy is configured.
There is an inbound NAT to access an internal web server from external network but we wish to block one specific external IP from accessing it.
Even though a deny policy is configured above the allowed policy with the source as the IP of the external client, still it does not trigger the firewall policy.
In this case we are trying to deny the access of web server from IP 172.26.48.75.
Configuring a firewall deny policy as shown in the following screenshot will not block the traffic from the external IP even though placed at the top, and taking the highest priority.
In the below screenshot it is possible to see that even though the deny policy is at the top taking highest priority, and specified with the right source IP, the policy is not getting hit, as a result the traffic from the denied source is still allowed by the second firewall policy.
In order to block the traffic from the denied source, it is necessary to edit the denied firewall policy from the CLI and run the following command: