Description | This article describes the traffic re-evaluation that occurs after hitting a deny policy in NGFW policy-based mode. |
Scope | FortiGate. |
Solution |
If the traffic that matches a deny policy will be subject to a change in the configuration, the traffic’ session will not be re-evaluated.
Consider an example with a valid session, accepted by a security policy:
The screenshots below show what occurs once this traffic hits a deny policy. (In this scenario, the source address of the intended traffic is removed by the source object on the security policy. As a result, the traffic will hit the implicit deny policy.)
Adding the source back on policy 1. The traffic is still denied, still hitting implicit policy. Traffic will not be re-evaluated anymore.
This is a behavior by design in NGFW policy-based mode.
To re-evaluate the traffic, the session will need to be re-established or clear the active session from the session table. A new session will be valuated as per Security Policy Rules. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.