Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tanr
Valued Contributor II

Match-vip clarification for deny rules

I'm trying to clarify my understanding of match-vip in firewall policies.  This is for 5.4.5.

 

Per http://docs.fortinet.com/d/fortigate-fortios-5.4.4-cli-reference, page 92, you need to set match-vip on any DENY rule to allow that rule to actualy match DNATed packets.  This was discussed quite a bit in thread: https://forum.fortinet.com/tm.aspx?m=112129.   

 

The documentation also states that the default implicit deny rule *may* not actually match in these cases and the packet will be silently dropped.

 

Questions:

[ol]
  • Could enabling match-vip for a policy make that policy not accept/match packets it might otherwise have accepted?
  • Are we guaranteed that DNATed packets will get dropped even if they fall through but don't match the default deny rule?
  • Is there any way to have a default deny rule that does match-vip without disabling Interface Pair View?  Is there some way to edit the default deny rule itself to enable match-vip for it?  And if that is possible, would it cause other problems?[/ol]

     

    Thanks in advance for any clarification of this.

     

  • 1 REPLY 1
    Prab
    New Contributor

    Hi Tanr,

     

    I was recently in the same boat and after doing some tests on FortiOS 5.6.3, I figured out some points as mentioned below:

     

    If you configure "set match-vip enable" command on a IPv4 policy, it will catch traffic destined to a VIP & as well as the traffic destined to any normal firewall address object (non VIP).

     

    Regarding question 2, I think the FGT will forward/drop that packet depending upon if there is an active network device with the IP address for which the VIP is created. The FGT would need the MAC address of the destined device in order to forward the packet.

    If there is an active network device which has the same IP that has been configured in a VIP. The FGT will forward the packet to it. Now its upon that end device either to reply back or to not.

    In case there is no device with same IP, then FGT cannot forward the packet as it will not get any ARP reply, and will finally will not be able to create the packet without the MAC address.

     

    Regarding the question 3, I have noticed that as soon as you have more than one interface mentioned in any IPv4 firewall policy, then you immediately loose the interface view. For eg: If you have "any" as an interface. The default deny rule does not count here & is the only exception here.

     

     

    Hope it was helpful!

    Thanks & regards,

    Prab

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors