Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GoodGameOKC
New Contributor

Deny policy for specific services, while allowing others?

Hello All, 

I was looking for a little clarity on the behavior of using a deny policy. The goal is to deny a subnets outbound traffic to a specific service, for example http. When you set the action to deny http does that same policy implicitly "allow" all other services? 

MH
MH
2 Solutions
yigiton
New Contributor II

Hello

 

If the action is deny in policy, it will deny all traffic matching the policy.

You should create a new separate policy to allow other traffics.

 

 

View solution in original post

yigiton
New Contributor II

Hi

 

tcp-1514 traffic will not match the policy, because of service is http in the policy. All criteria should be matched. 

 

you should write two policies to deny http and permit tcp1514 :

 

policy1: source:X, dest:Y, service:http, action:deny  --> this will only deny http and tcp-1514 will not match this policy1. it will take action for tcp-1514

policy2: source:X, dest:Y, service:tcp-1514, action:permit

 

 

 

 

View solution in original post

4 REPLIES 4
yigiton
New Contributor II

Hello

 

If the action is deny in policy, it will deny all traffic matching the policy.

You should create a new separate policy to allow other traffics.

 

 

GoodGameOKC

Thank you for the response. I'm still unclear of the yes or no to the question. You stated it will deny all traffic matching the policy. The policy is to deny Http,  say traffic for tcp 1514 hits the policy,  will the action be the allow it because it's not http?

MH
MH
yigiton
New Contributor II

Hi

 

tcp-1514 traffic will not match the policy, because of service is http in the policy. All criteria should be matched. 

 

you should write two policies to deny http and permit tcp1514 :

 

policy1: source:X, dest:Y, service:http, action:deny  --> this will only deny http and tcp-1514 will not match this policy1. it will take action for tcp-1514

policy2: source:X, dest:Y, service:tcp-1514, action:permit

 

 

 

 

GoodGameOKC

Okay,  that's what I was inquiring about is there an implicit "allow"  in the deny policy because the traffic wasn't the deny http traffic. The logic makes scenes just wasn't totally clear.

MH
MH
Top Kudoed Authors