Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
APAC_Beta_FTNT
Staff
Staff

Created on ‎11-02-2011 01:37 AM Edited on ‎12-15-2021 02:12 AM By Community Manager

Article Id 192456

Technical Tip: DENY Policy for Virtual IP Firewall Policy

Description

The FortiGate unit matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a "regular" DENY firewall policy, the VIP traffic will still be able to go through.


Scope

DENY firewall policy


Solution

There are basically two options to handle this situation:

1. Specify the "Action" as DENY on a firewall policy that is specifically created for the VIP that is to be blocked, or

2. Configure the "match-vip" option for the DENY firewall policy in CLI:

#config firewall policy
    edit <fw_policy_id>
        set srcintf "portx"
        set dstintf "porty"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set match-vip enable
    next
end

 

 

Note: In FortiOS v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy When the ACTION of the policy is set to DENY.

Labels:
19471
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.