Hello All,
I was looking for a little clarity on the behavior of using a deny policy. The goal is to deny a subnets outbound traffic to a specific service, for example http. When you set the action to deny http does that same policy implicitly "allow" all other services?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
If the action is deny in policy, it will deny all traffic matching the policy.
You should create a new separate policy to allow other traffics.
Hi
tcp-1514 traffic will not match the policy, because of service is http in the policy. All criteria should be matched.
you should write two policies to deny http and permit tcp1514 :
policy1: source:X, dest:Y, service:http, action:deny --> this will only deny http and tcp-1514 will not match this policy1. it will take action for tcp-1514
policy2: source:X, dest:Y, service:tcp-1514, action:permit
Hello
If the action is deny in policy, it will deny all traffic matching the policy.
You should create a new separate policy to allow other traffics.
Thank you for the response. I'm still unclear of the yes or no to the question. You stated it will deny all traffic matching the policy. The policy is to deny Http, say traffic for tcp 1514 hits the policy, will the action be the allow it because it's not http?
Hi
tcp-1514 traffic will not match the policy, because of service is http in the policy. All criteria should be matched.
you should write two policies to deny http and permit tcp1514 :
policy1: source:X, dest:Y, service:http, action:deny --> this will only deny http and tcp-1514 will not match this policy1. it will take action for tcp-1514
policy2: source:X, dest:Y, service:tcp-1514, action:permit
Okay, that's what I was inquiring about is there an implicit "allow" in the deny policy because the traffic wasn't the deny http traffic. The logic makes scenes just wasn't totally clear.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.