Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

Created on ‎11-09-2023 06:49 AM

Implicit Deny in FortiGate

Good morning friends, could you help me understand the purpose of “Implicit Deny” (ID 0)?
In my FW I have 3 DENY policies: 2 Policies so that attacking IPs do not communicate with my internal network and the other policy is the “Implicit Deny” (ID 0).
Can you clarify for me about the behavior of “Implicit Deny”, I would understand that if it does not trigger any rule prior to it, by default, Deny would be given to everything. So it wouldn't be necessary to create other DENY rules?

 

Screenshot_62.jpg

 

Labels:
3832
0 Kudos
10 REPLIES 10
fricci_FTNT
Staff
Staff

Created on ‎11-09-2023 06:58 AM

Hi @unknown1020 ,

 

The implicit deny is a common practice on a lot of firewalls. If anything is not explicitly allowed it is automatically denied by the implicit deny. Without the implicit deny you might have some traffic "leaking".

Hope it helps.

Best regards,

---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
3628
unknown1020
New Contributor III
In response to fricci_FTNT

Created on ‎11-09-2023 10:29 AM

So it would no longer be necessary to create deny rules?

since I have a specific rule for wan --> source to lan --> destination. Does this rule no longer work because of the implicit rule?

3587
0 Kudos
abelio
SuperUser
SuperUser
In response to unknown1020

Created on ‎11-09-2023 10:46 AM Edited on ‎11-09-2023 10:47 AM

Not exactly; if you've defined a wan->lan policy with source 'all' you could be opening something you don´t need.

Check docs for deny policy and match-vip

This one for instance:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-DENY-Policy-for-Virtual-IP-Firewall-Policy...

regards




/ Abel

regards / Abel
3585
0 Kudos
pminarik
Staff
Staff
In response to unknown1020

Created on ‎02-05-2024 07:20 AM Edited on ‎02-05-2024 07:20 AM

Correct, in essence.

With carefully created allow-policies, only allowing precisely what is desired to be allowed, everything unwanted should be captured and dropped by the implicit deny rule.

 

Additional deny rules are almost always created to override other allow-policies, which, for various reasons, have been created to allow "too much".

 

For example, you will probably run into this sort of setup:

1: WAN->DMZ, src=Geo-IP for country-X, dst=VIP, action=deny

2: WAN->DMZ, src=all, dst=VIP, action=accept


This is one common way of allowing access to some server represented by the VIP object to the whole world, except country-X. The deny-policy n1 being necessary is a consequence of the policy n2 being "too open" when interpreted from a certain point of view.

 

An alternative approach would be to create a policy with negated source (="match everything except X"):

1: WAN->DMZ, src=Geo-IP for country-X, srcaddr-negate=enable, dst=VIP, action=accept

 

This policy says "allow every source, except country-X", resulting in traffic from country-X being denied by the implicit deny policy. However, from my personal experience, source-, destination-, and service-negation are not used much by customers, which is where some of the additional deny-policy usage usually comes from.

[ corrections always welcome ]
2451
0 Kudos
Krmw
New Contributor
In response to fricci_FTNT

Created on ‎02-05-2024 06:12 AM

I am facing one of issue on fortigate firewall 1100 E. issue is i have 2000 numbers policy but still all traffic matching with Implicit deny. Please help here.

2468
0 Kudos
esalija
Staff
Staff
In response to Krmw

Created on ‎02-05-2024 06:23 AM

Hi @Krmw 

 

Please run the below command to check which is the policy that should match in the FortiGate

 

# diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>

Please refer to the KB for more details - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Trace-which-firewall-policy-will-match-bas...

 

Best regards,

Erlin

2464
0 Kudos
esalija
Staff
Staff

Created on ‎11-09-2023 06:59 AM

Hi,

Yes, correct if the traffic does not match any of the above firewall policies that you created, it will be "Deny" by the last firewall policy 0. Please check the KB - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implicit-deny-logs/ta-p/194602 

https://community.fortinet.com/t5/Support-Forum/Blocking-connection-by-Implicit-Deny/td-p/246145

Best regards,

Erlin

 

If you have found a solution, please like and accept it to make it easily accessible to others.

 

 

3627
abelio
SuperUser
SuperUser

Created on ‎11-09-2023 07:02 AM

Hello "unknown1020"?
everything is denied unless it's explicit allowed is the basic rule of a new and correctly configured firewall.

That policy is located at the bottom of the list; and you add your policies allowing specific traffic or denied.

If you enable login feature in this 0 id policy you'll see a lot a logs of activity showing how your firewall is working.

More info about this:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implicit-deny-logs/ta-p/194602

regards




/ Abel

regards / Abel
3625
0 Kudos
kvimaladevi
Staff
Staff

Created on ‎11-10-2023 03:29 AM

Hi unknown1020,

 

Unless you have a policy on top allowing all source to all destination in the firewall policy, not all traffic will be allowed. You can configure policies for required source, destination and services while the other traffic will be denied automatically by the implicit deny. 

Regards,

Vimala

3558
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.