FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
The FortiGate unit matches Virtual IP firewall policies differently from regular firewall policies. If there is a VIP firewall policy below a "regular" DENY firewall policy, the VIP traffic will still be able to go through.
DENY firewall policy
There are basically two options to handle this situation:
1. Specify the "Action" as DENY on a firewall policy that is specifically created for the VIP that is to be blocked, or
2. Configure the "match-vip" option for the DENY firewall policy in CLI:
#config firewall policy edit <fw_policy_id> set srcintf "portx" set dstintf "porty" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set match-vip enable next end
Note: In FortiOS v6.4.3 and above, 'set match-vip enable' is only available within the Firewall Policy When the ACTION of the policy is set to DENY.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.