Friday, July 18, 2008

Deny Rules are counter intuitive in 3.0 MR6

Say you want to block traffic from a known bad IP on the Internet to all systems on your DMZ. All machines in the DMZ are natted to the outside world using Virtual IPs. Generally you would expect to create a rule like this:

From: External, IP address of bad external system
To: DMZ, Any
Action: Deny

In 3.0 MR6 (and potentially other versions) this does not work. You have to block traffic to specific NAT addresses. The fastest way to do this is to create a VIP Group under Firewall -> Virtual IP -> VIP Group and add all your natted addresses to the group, let's call it "All NAT" for example. You would then build the following rule:

From: External, IP address of bad external system
To: DMZ, "All NAT"
Action: Deny

As per the official response from Fortinet this is working as designed and is not a bug.


Max said...

There is something else - usually if you have a "Deny" rule like "from Any to Any Service Any action Deny" nothing below the "Deny" rule should work, but if the next rule is some access to VIP - you will receive traffic and it's by design too...

Sebastian said...

Correct, it goes with what I was saying in the original post. Personally I think it needs to be changed since you get a false sense of security unless you are fully aware of the limitations.

Anonymous said...

If this is due to NAT being performed before filtering, then this makes sense to me. OpenBSD's pf does the same.

When thinking about filtering, you need to consider what the destination addresses have become after the translation.

Sebastian said...

Very true.
The reason for the post was that even though I deal with the Fortigates every day it was not immediately obvious to me that I couldn't block traffic from "Bad Guy A" to any server in the DMZ with a very simple rule. I wanted to to make sure that I pass on that tidbit of information. Which is really the point of the blog ;)