FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

The FortiGate unit matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a "regular" DENY firewall policy, the VIP traffic will still be able to go through.


DENY firewall policy

There are basically two options to handle this situation:

1. Specify the "Action" as DENY on a firewall policy that is specifically created for the VIP that is to be blocked, or

2. Configure the "match-vip" option for the DENY firewall policy in CLI:
# conf firewall policy
# edit <firewall policy number>
# set match-vip enable