FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 9 - Firewall > Security policies > Firewall policies > Exception to policy order

Exception to policy order

There is a relevant exception to the normal policy order. Policies with VIPs don’t appear to behave the same way. Traffic that is handled by VIPs is processed through the associated policy before the traffic is checked against other policies in the usual top down order.

This only appears inconsistent with the policy order rule because when handling the traffic, firewall policies are not the first thing checked. VIP translations are checked first, and if there is more than one VIP that the traffic fits, it is handled in the top down order that is followed by policies. If the traffic is not claimed by a policy in the VIP translation phase, it is checked against the routing rules. If it passes the routing checks, the traffic is allowed to be controlled by the polices.

This processing of traffic targeting a VIPs only applies if there is a policy that included the VIP and the traffic matches all of the criteria checks. There is no need to worry about creating VIPs that are not controlled by a policy.

There are security implications associated with this behavior. Administrators could assume that a policy will process traffic before it drops down to a policy with a VIP in it. This can allow traffic to pass through the firewall into a part of the network that it was not intended for, if it was to be allowed in at all. The way to prevent traffic being incorrectly allowed through a policy containing a VIP is to have that policy be more restrictive or to have a separate policy containing the same VIP deny the traffic earlier in the sequence.

As proof of the behaviour, look at the following traffic analysis of a packet sent to a VIP. You will see that the packet is translated even before it is allowed to pass through the firewall by a policy.

2015-06-10 06:33:21 id=20085 trace_id=1 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 24.114.222.34:51434->24.212.230.77:3389) from wan1. flag [S], seq 1579917634, ack 0, win 8192"

2015-06-10 06:33:21 id=20085 trace_id=1 func=init_ip_session_common line=4522 msg="allocate a new session-01480894"

2015-06-10 06:33:21 id=20085 trace_id=1 func=fw_pre_route_handler line=174 msg="VIP-10.10.66.2:3389, outdev-wan1"

2015-06-10 06:33:21 id=20085 trace_id=1 func=__ip_session_run_tuple line=2534 msg="DNAT 24.212.230.77:3389->10.10.66.2:3389"

2015-06-10 06:33:21 id=20085 trace_id=1 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.10.66.2 via internal5"

2015-06-10 06:33:21 id=20085 trace_id=1 func=fw_forward_handler line=670 msg="Allowed by Policy-15:"