Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dongfang_Li_FTNT
Staff
Staff

Created on ‎09-28-2023 10:23 PM Edited on ‎10-20-2024 09:37 PM By Community Manager

Article Id 276619

Technical Tip: Local In Policy VS Virtual IP Policy

Description

This article describes a scenario where a user wants to block traffic from certain countries to reach the internal server behind FortiGate Lan. The IP belonging to the GEO block country is still able to reach the internal server.

 

Below are the config:    

  • Virtual IP(VIP) and its policy allowing traffic from Internet interface Wan to Lan, source addr 'ALL'.
  • GEO block address for the country to be blocked.
  • Local in policy to block any traffic arriving at WAN interface from the GEO block address.
Scope FortiGate.
Solution

According to packet life in FortiGate, Destination NAT takes effect at the beginning of the packet process. In the FortiGate kernel, packets are processed in the following order:

 

  1. DNAT (Virtual IP).
  2. Routing.
  3. Policy lookup.
  4. Session helper.
  5. User authentication.
  6. Device identification.
  7. SSL VPN.
  8. Local management traffic.

 

Local in policy with action deny will not deny traffic allowed by VIP policy because when Local in policy takes effect, the VIP policy already allows the traffic.  

To resolve the issue, create a VIP deny policy and put it on top of the VIP allow policy to block the source GEO block address.

 

Note:

The destination address of the deny policy should be set to the VIP address, if set to the normal local server IP address, use CLI to enable match-vip 'set match-vip enable' in the deny policy.

 

The following article explains How to configure block VIP access using GEO location:

How to block VIP access using GEO Location

 

Related documents:

Packet flow ingress and egress: FortiGates without network processor offloading

Technical Tip: Firewall does not block incoming (WAN to LAN) connection even though deny policy 
2629
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.