- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate Any to wan vs Lan to wan
Dear Community,
I am facing issue that when I create a policy from LAN to WAN and my all traffic is passing without issue, but when I want to block certain countries and IP from all the port like DMZ, LAN (inside to WAN) it's not blocking at all in the Any to WAN policy, I am confused about any to wan and Lan to wan that which policy gets priority. FortiGate #policy #600e
- Labels:
-
Firewall policy
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Hemant6737 ,
Thank you for contacting the Fortinet Forum portal.
-In general, FortiGate would check or policy from top to down in order to block traffic from any country or IP please refer article below steps and verify if you have any Virtual IP then enable match-vip as well on firewall policy from cli.
article:
-You can consider creating local in policy as well as below:
Best regards,
Manasa.
If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.
Created on 08-04-2024 08:16 AM Edited on 08-04-2024 12:05 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additional information on why to avoid ANY in the interface for the firewall policy:
It is always better to mention well defined addresses (e.g. 192.168.0.x, 172.16.1.x etc) rather than using "any" to mitigate security related issues that can happen when using "any" in the interface section of the firewall policy