neonbit wrote:

You can certainly create an all > all policy to match everything, but in the security world this is not best practice. Ideally should only create policies/enable access for as specific IP and services as possible.

Thank you for the answer Neonbit. Now I'm confused that an issue I encountered. We need a v server connects to an external ip address. We do have the policy of "all" to "all" from inside to outside. The traffic flow wasn't stable, it's on and off, and super slow. But as soon as I created a specific policy for this task. The issue was gone. Do you know the reason?

I highly doubt a specific policy was the issue. What was you any/any policy did you have any UTM features enabled.

Ken Felix

emnoc wrote:

I highly doubt a specific policy was the issue. What was you any/any policy did you have any UTM features enabled.

 

Ken Felix

Hi Ken,

       Thank you for helping me out on this post as well. Comparing the two policies, the only difference is any/any policy has few security profiles enabled. Can you explain why that might cause the issue? Thanks.

what is in your security policy ? "

 i.e   show full firewall policy <id> 

What out knowing what you had enabled, it would be hard to make a determination of the issue(s).

Ken Felix

is this thread no longer needed because as per the other thread from the OP https://forum.fortinet.com/tm.aspx?m=181788 there was a misconfiguration elsewhere, not the FW? 

Correct a implicit deny exist. So if you do not match any of the other policyid ( greater than 0 .....per se ) , than the ultimate action is to drop.

Without seeing what he had enabled, we would not know the difference between the two policyIDs

Ken Felix