Hello!

I'm running into a problem with our Fortigate 100E running 6.0.7. The crux of the matter is that the firewall policy contains these two entries (among others):

edit 55     set srcintf "wan1"     set dstintf "any"     set srcaddr "BLOCKLIST"     set dstaddr "all"     set schedule "always"     set service "ALL"     set logtraffic all     set fsso disable next edit 46     set srcintf "wan1"     set dstintf "port1"     set srcaddr "all"     set dstaddr "DNAT_TCP_22" "DNAT_TCP_443" "DNAT_UDP_53"     set action accept     set schedule "always"     set service "PORT_TCP_22" "PORT_TCP_443" "PORT_UDP_53"     set logtraffic all     set fsso disable next

Policy 55 is an attempt to do a blanket deny of inbound traffic from an addrgrp called "BLOCKLIST" which is fairly large addrgrp containing IPv4 addresses and networks. Policy 46 accepts some traffic that is being DNAT'ed from the global IP address of wan1 to some internal systems. What we thought was that, because policy 55 comes before policy 46, inbound traffic from any of the BLOCKLIST source addresses to any port would be denied, and all other inbound traffic pass through to the subsequent policies. However, what we see in practice is that inbound traffic from the BLOCKLIST sites to ports other than 22/443/53 is indeed denied, but traffic from the BLOCKLIST sites to ports 22/443/53 is accepted, which is surprising.

I've seen in some documentation that DNAT processing occurs very early, just after ingress, however presumably that is just destination address translation, and since policy 55 is supposed to match ALL destination addresses to ANY destination interface, it seems strange that traffic from BLOCKLIST sites would not match policy 55 and be denied. What are we doing wrong, and would be the best way to get the desired behavior?

Thanks!