在fortigate的防火牆上,外到內的部份有設兩條政策
政策1:外部特定IP->內部ALL->全部服務==>封鎖
政策2:外部特定IP->內部特定主機->全部服務==>封鎖
結果這個外部特定IP居然沒有在政策1就被封鎖,而是在比對到政策2時才封鎖,非常奇怪,詢問廠商才得知設定上有個地方有特別注意。
在設定外對內的政策時,因為有些內部主機有提供對外服務,有使用虛擬IP(VIP)這個功能,所以外對內的政策,內部是指定ALL的情況下,需要透過指令模式,在這個政策上加一個set match-vip enable,這個封鎖到透過VIP連進來的外部主機。
這就是為何第1條政策無效,但第2條有效的原因。
On the Fortigate firewall, there are two policies defined for inbound traffic from the outside to the inside network:
Policy 1: External specific IP -> Internal ALL -> All services ==> Block
Policy 2: External specific IP -> Internal specific host -> All services ==> Block
However, it was discovered that the external specific IP was not blocked by Policy 1 but was blocked when matched with Policy 2, which seemed strange. Upon contacting the vendor, it was revealed that there was a particular setting that required attention.
When configuring the inbound policies from external to internal, there were internal hosts that provided services to the outside using Virtual IP (VIP) functionality. Therefore, in the case where the internal field is set to ALL, an additional command "set match-vip enable" needs to be added to this policy in command mode. This command ensures that external hosts connecting through VIP are also blocked.
This explains why Policy 1 was ineffective while Policy 2 remained effective.
