FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 196544

Article

Description Firewall policies using VIP Groups match traffic only by the IP address of the VIP Group's member(s), not their port numbers.
Components
  • FortiOS v3.0 MR4
  • FortiOS v3.0 MR5
Details

When a firewall policy is configured to match IP addresses by VIP Group, port numbers of member VIPs are not considered; only IP addresses. All traffic involving IP addresses of member VIPs match the policy, even when using a port number which differs from the VIP's mapped ports.

This may not be intuitive behavior.

Workaround

If you require different firewall policies applied to specific port numbers to or from the same VIP IP address, configure separate firewall policies for each VIP and service, rather than a single policy using a VIP Group.

Solution

This behavior was changed in v3.0 MR5 Patch 1. Firewall policies using VIP Groups are now matched by comparing both the member VIP IP address(es) and port number(s).