In a situation where you have a VIP configured to perform Destination NAT for traffic incoming from the Internet to an internal server, and you have a policy “above” the allow policy to the VIP in precedence, you will notice that by default the “above” policy isn’t functioning as expected when traffic is destined to the VIP.
This is extremely frustrating and isn’t how any other firewall i’ve worked on functions, but what happens is that the VIP translation is hit earlier on in the packet processing on the Fortigate so the policy that references the VIP gets used even if it is farther down in precedence than say a geo-filtering policy blocking all incoming traffic (allegedly to all hosts) from China.
That means that even though you think you have policies denying traffic above your VIP rules that it won’t matter. This is very concerning and probably needs to be addressed by Fortinet. Unless you really investigate logs to confirm that the deny rule above your VIP rule is getting used, this may go missed for a while.
The below link from Fortinet describes the problem in more detail and discusses possible solutions.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD36750
The key is that you can add the “set match-vip enable” line to the “above” policy config to make sure that even if a VIP is a destination, that this deny rule gets used instead of the permit rules that the VIP is associated with. Alternatively, you can use the VIP in the “above” deny rule explicitly as the destination.
config firewall policy
edit 36
set match-vip enable