Policy order: any int to any int or specific interface pair

Toshi_Esumi · ‎02-15-2024

Please let me make sure the order a FGT examine policies.
If there is a specific policy from a specific interface like "lan" to another specific interface like "wan1" with "any" source and "any" destination, it would be examined before another policy from "any" interface for a specific source IP set to "any" interface for "any" destination, even if the source IP matches one of those specified. Right?

I just want to make sure my basic/fundamental understanding is correct.

Toshi

Toshi_Esumi · ‎02-15-2024

I found the answer myself by moving the deny policy at the top in the sequence. It's now blocking.
So if "any" int->"any" int "deny" policy comes first before the specific interface pair allow policy, it would match the deny policy first.

Toshi

View solution in original post

Toshi_Esumi · ‎02-15-2024

Or, unless the "any" int->"any" int "deny" policy is "placed in the sequence" before the specific int pair policy?

Toshi_Esumi · ‎02-15-2024

I found the answer myself by moving the deny policy at the top in the sequence. It's now blocking.
So if "any" int->"any" int "deny" policy comes first before the specific interface pair allow policy, it would match the deny policy first.

Toshi

Policy order: any int to any int or specific interface pair

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website