Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mdanta
New Contributor II

Does Policy DNAT Override Firewall Policy Order?

Hello!

I'm running into a problem with our Fortigate 100E running 6.0.7. The crux of the matter is that the firewall policy contains these two entries (among others):

edit 55     set srcintf "wan1"     set dstintf "any"     set srcaddr "BLOCKLIST"     set dstaddr "all"     set schedule "always"     set service "ALL"     set logtraffic all     set fsso disable next edit 46     set srcintf "wan1"     set dstintf "port1"     set srcaddr "all"     set dstaddr "DNAT_TCP_22" "DNAT_TCP_443" "DNAT_UDP_53"     set action accept     set schedule "always"     set service "PORT_TCP_22" "PORT_TCP_443" "PORT_UDP_53"     set logtraffic all     set fsso disable next

 

Policy 55 is an attempt to do a blanket deny of inbound traffic from an addrgrp called "BLOCKLIST" which is fairly large addrgrp containing IPv4 addresses and networks. Policy 46 accepts some traffic that is being DNAT'ed from the global IP address of wan1 to some internal systems. What we thought was that, because policy 55 comes before policy 46, inbound traffic from any of the BLOCKLIST source addresses to any port would be denied, and all other inbound traffic pass through to the subsequent policies. However, what we see in practice is that inbound traffic from the BLOCKLIST sites to ports other than 22/443/53 is indeed denied, but traffic from the BLOCKLIST sites to ports 22/443/53 is accepted, which is surprising.

 

I've seen in some documentation that DNAT processing occurs very early, just after ingress, however presumably that is just destination address translation, and since policy 55 is supposed to match ALL destination addresses to ANY destination interface, it seems strange that traffic from BLOCKLIST sites would not match policy 55 and be denied. What are we doing wrong, and would be the best way to get the desired behavior?

 

Thanks!

 

 

 

 

 

 

 

1 Solution
lobstercreed
Valued Contributor

You're barking up the right tree.  You need to set match-vip enable on policy 55.  See this recent forum thread for a discussion of this exact issue.

 

https://forum.fortinet.com/FindPost/188968

View solution in original post

3 REPLIES 3
lobstercreed
Valued Contributor

You're barking up the right tree.  You need to set match-vip enable on policy 55.  See this recent forum thread for a discussion of this exact issue.

 

https://forum.fortinet.com/FindPost/188968

mdanta
New Contributor II

I'll give it a try! I'd actually looked at match-vip, but the documentation in the Handbook was difficult to follow. And then, since I wasn't actually matching on the destination address, it didn't seem like it should matter. I suppose there's a lesson in there somewhere... Thanks!

mdanta
New Contributor II

It seems like that solved the problem. Thanks!

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors