Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

Implicit Deny in FortiGate

Good morning friends, could you help me understand the purpose of “Implicit Deny” (ID 0)?
In my FW I have 3 DENY policies: 2 Policies so that attacking IPs do not communicate with my internal network and the other policy is the “Implicit Deny” (ID 0).
Can you clarify for me about the behavior of “Implicit Deny”, I would understand that if it does not trigger any rule prior to it, by default, Deny would be given to everything. So it wouldn't be necessary to create other DENY rules?

 

Screenshot_62.jpg

 

10 REPLIES 10
fricci_FTNT
Staff
Staff

Hi @unknown1020 ,

 

The implicit deny is a common practice on a lot of firewalls. If anything is not explicitly allowed it is automatically denied by the implicit deny. Without the implicit deny you might have some traffic "leaking".

Hope it helps.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
unknown1020

So it would no longer be necessary to create deny rules?

since I have a specific rule for wan --> source to lan --> destination. Does this rule no longer work because of the implicit rule?

abelio
Valued Contributor

Not exactly; if you've defined a wan->lan policy with source 'all' you could be opening something you don´t need.

Check docs for deny policy and match-vip

This one for instance:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-DENY-Policy-for-Virtual-IP-Firewall-Policy...

regards




/ Abel

regards / Abel
pminarik

Correct, in essence.

With carefully created allow-policies, only allowing precisely what is desired to be allowed, everything unwanted should be captured and dropped by the implicit deny rule.

 

Additional deny rules are almost always created to override other allow-policies, which, for various reasons, have been created to allow "too much".

 

For example, you will probably run into this sort of setup:

1: WAN->DMZ, src=Geo-IP for country-X, dst=VIP, action=deny

2: WAN->DMZ, src=all, dst=VIP, action=accept


This is one common way of allowing access to some server represented by the VIP object to the whole world, except country-X. The deny-policy n1 being necessary is a consequence of the policy n2 being "too open" when interpreted from a certain point of view.

 

An alternative approach would be to create a policy with negated source (="match everything except X"):

1: WAN->DMZ, src=Geo-IP for country-X, srcaddr-negate=enable, dst=VIP, action=accept

 

This policy says "allow every source, except country-X", resulting in traffic from country-X being denied by the implicit deny policy. However, from my personal experience, source-, destination-, and service-negation are not used much by customers, which is where some of the additional deny-policy usage usually comes from.

[ corrections always welcome ]
Krmw

I am facing one of issue on fortigate firewall 1100 E. issue is i have 2000 numbers policy but still all traffic matching with Implicit deny. Please help here.

esalija

Hi @Krmw 

 

Please run the below command to check which is the policy that should match in the FortiGate

 

# diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>

Please refer to the KB for more details - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Trace-which-firewall-policy-will-match-bas...

 

Best regards,

Erlin

esalija
Staff
Staff

Hi,

Yes, correct if the traffic does not match any of the above firewall policies that you created, it will be "Deny" by the last firewall policy 0. Please check the KB - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implicit-deny-logs/ta-p/194602 

https://community.fortinet.com/t5/Support-Forum/Blocking-connection-by-Implicit-Deny/td-p/246145

Best regards,

Erlin

 

If you have found a solution, please like and accept it to make it easily accessible to others.

 

 

abelio
Valued Contributor

Hello "unknown1020"?
everything is denied unless it's explicit allowed is the basic rule of a new and correctly configured firewall.

That policy is located at the bottom of the list; and you add your policies allowing specific traffic or denied.

If you enable login feature in this 0 id policy you'll see a lot a logs of activity showing how your firewall is working.

More info about this:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implicit-deny-logs/ta-p/194602

regards




/ Abel

regards / Abel
kvimaladevi
Staff
Staff

Hi unknown1020,

 

Unless you have a policy on top allowing all source to all destination in the firewall policy, not all traffic will be allowed. You can configure policies for required source, destination and services while the other traffic will be denied automatically by the implicit deny. 

Regards,

Vimala

Top Kudoed Authors