Hello All,
I was looking for a little clarity on the behavior of using a deny policy. The goal is to deny a subnets outbound traffic to a specific service, for example http. When you set the action to deny http does that same policy implicitly "allow" all other services?
Solved! Go to Solution.
Hello
If the action is deny in policy, it will deny all traffic matching the policy.
You should create a new separate policy to allow other traffics.
Hi
tcp-1514 traffic will not match the policy, because of service is http in the policy. All criteria should be matched.
you should write two policies to deny http and permit tcp1514 :
policy1: source:X, dest:Y, service:http, action:deny --> this will only deny http and tcp-1514 will not match this policy1. it will take action for tcp-1514
policy2: source:X, dest:Y, service:tcp-1514, action:permit
Hello
If the action is deny in policy, it will deny all traffic matching the policy.
You should create a new separate policy to allow other traffics.
Thank you for the response. I'm still unclear of the yes or no to the question. You stated it will deny all traffic matching the policy. The policy is to deny Http, say traffic for tcp 1514 hits the policy, will the action be the allow it because it's not http?
Hi
tcp-1514 traffic will not match the policy, because of service is http in the policy. All criteria should be matched.
you should write two policies to deny http and permit tcp1514 :
policy1: source:X, dest:Y, service:http, action:deny --> this will only deny http and tcp-1514 will not match this policy1. it will take action for tcp-1514
policy2: source:X, dest:Y, service:tcp-1514, action:permit
Okay, that's what I was inquiring about is there an implicit "allow" in the deny policy because the traffic wasn't the deny http traffic. The logic makes scenes just wasn't totally clear.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.