Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Explicit DENY ALL for inbound does not work

I am using V2.8 MR5 of Fortigate-400. I would like to log all the traffic hitting anything visible (routable) behind the firewall. Is there a way to enable the default " deny all" rule for the inbound traffic ? I' ve tried to give an explicit " deny all" rule (0.0.0.0/0.0.0.0 -> 0.0.0.0/0.0.0.0 ANY DENY) but it does not block or log anything. A fortinet engineer says because the rules on virtual IP address get matched first and therefore the explicit DENY ALL rule is bypassed. This sounds pretty unlogical to me. Any idea about this ? How can I make this work ? Thanks BB
2 REPLIES 2
mgoswami
Staff
Staff

Hi,

 

You might try to configure local in policy for inbound traffic.

 

Please refer to this link:
https://docs.fortinet.com/document/fortigate/6.2.14/cookbook/363127/local-in-policies

 

BR,

Manosh

ede_pfau
SuperUser
SuperUser

Jeez, did anybody notice that this thread was started 19 years ago? Go Fortinet!

 

But, alas, this situation might still arise today, with FortiOS 6.x/7.x. You can find an explanation and a workaround in the KB using the keyword "match-vip". Will only be applicable in DENY policies from FOS 7.0 on.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-does-not-block-incoming-WAN-to-LA...

and a post from this forum

https://community.fortinet.com/t5/Support-Forum/Match-vip-clarification-for-deny-rules/td-p/95228

 

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors