Hello!
I'm running into a problem with our Fortigate 100E running 6.0.7. The crux of the matter is that the firewall policy contains these two entries (among others):
edit 55 set srcintf "wan1" set dstintf "any" set srcaddr "BLOCKLIST" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set fsso disable next edit 46 set srcintf "wan1" set dstintf "port1" set srcaddr "all" set dstaddr "DNAT_TCP_22" "DNAT_TCP_443" "DNAT_UDP_53" set action accept set schedule "always" set service "PORT_TCP_22" "PORT_TCP_443" "PORT_UDP_53" set logtraffic all set fsso disable next
Policy 55 is an attempt to do a blanket deny of inbound traffic from an addrgrp called "BLOCKLIST" which is fairly large addrgrp containing IPv4 addresses and networks. Policy 46 accepts some traffic that is being DNAT'ed from the global IP address of wan1 to some internal systems. What we thought was that, because policy 55 comes before policy 46, inbound traffic from any of the BLOCKLIST source addresses to any port would be denied, and all other inbound traffic pass through to the subsequent policies. However, what we see in practice is that inbound traffic from the BLOCKLIST sites to ports other than 22/443/53 is indeed denied, but traffic from the BLOCKLIST sites to ports 22/443/53 is accepted, which is surprising.
I've seen in some documentation that DNAT processing occurs very early, just after ingress, however presumably that is just destination address translation, and since policy 55 is supposed to match ALL destination addresses to ANY destination interface, it seems strange that traffic from BLOCKLIST sites would not match policy 55 and be denied. What are we doing wrong, and would be the best way to get the desired behavior?
Thanks!
Solved! Go to Solution.
You're barking up the right tree. You need to set match-vip enable on policy 55. See this recent forum thread for a discussion of this exact issue.
You're barking up the right tree. You need to set match-vip enable on policy 55. See this recent forum thread for a discussion of this exact issue.
I'll give it a try! I'd actually looked at match-vip, but the documentation in the Handbook was difficult to follow. And then, since I wasn't actually matching on the destination address, it didn't seem like it should matter. I suppose there's a lesson in there somewhere... Thanks!
It seems like that solved the problem. Thanks!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.