Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate - Possible bug (or by design) deny policies not applying immediately after a restart.

For VPN and IPsec connections, I have local-in polices for trusted hosts and VIPs in policies filtering out unwanted ASNs and non-united states IP addresses from connecting to our listening ports. Blocked ASNs are provided via feeds and other are IP groups. Ive noticed that for the first 5 minutes or so after a completed reboot, many IPs I had previously blocked are able to spam our listening ports again. Some of them for up to 30 minutes after a reboot. This seems like a security issue. If the firewall hasnt reached out and fetched lists from defined feeds, shouldnt it first deny anything it cannot prove is legitimate? Even the policy that allows US only traffic gets hit from non-us traffic for a short while before finally denying it .

Whatever happened to implicit deny? (7.0.14)


Hi @kunin,


What do you see in the logs after rebooted? Do you see the same behavior for IP group and feeds?



Top Kudoed Authors