Created on 10-03-2007 12:00 AM Edited on 01-31-2024 05:21 AM By Jean-Philippe_P
Article
Description | Firewall policies using VIP Groups match traffic only by the IP address of the VIP Group's member(s), not their port numbers. |
Components |
|
Details |
When a firewall policy is configured to match IP addresses by VIP Group, port numbers of member VIPs are not considered; only IP addresses. All traffic involving IP addresses of member VIPs match the policy, even when using a port number which differs from the VIP's mapped ports. This may not be intuitive behavior. WorkaroundIf you require different firewall policies applied to specific port numbers to or from the same VIP IP address, configure separate firewall policies for each VIP and service, rather than a single policy using a VIP Group. SolutionThis behavior was changed in v3.0 MR5 Patch 1. Firewall policies using VIP Groups are now matched by comparing both the member VIP IP address(es) and port number(s). |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.