FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 192456


The FortiGate unit matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a "regular" DENY firewall policy, the VIP traffic will still be able to go through.


DENY firewall policy


There are basically two options to handle this situation:

1. Specify the "Action" as DENY on a firewall policy that is specifically created for the VIP that is to be blocked, or

2. Configure the "match-vip" option for the DENY firewall policy in CLI:

#config firewall policy
    edit <fw_policy_id>
        set srcintf "portx"
        set dstintf "porty"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set match-vip enable



Note: In FortiOS v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy When the ACTION of the policy is set to DENY.