Deny security policies deny traffic that is coming into the network. The FortiGate unit automatically blocks traffic that is associated with a deny security policy.
Deny security policies are usually configured when you need to restrict specific traffic, for example, SSH traffic. Deny security policies can also help when you want to block a service, such as DNS, but allow a specific DNS server.
|There is a disparity in the effectiveness of deny policies. Only deny policies that contain VIPs will block traffic directed at those VIPs. Policies with VIPs are processed before other polices, so using a deny policy earlier in the list will not work. For more on this topic, read the Exception to policy order.|