What Are Shadow Rules in FortiGate?
A shadow rule is a firewall policy that is never matched because a preceding rule with broader criteria already captures the same traffic. Shadow rules accumulate silently over time — the result of policy additions without systematic review — and represent both a security risk and an audit finding.
In FortiGate environments, shadow rules typically appear when:
- A broad “allow-all” rule was added as a temporary measure and never removed
- A more specific rule was added below an existing rule that already covers the same source/destination/service
- VDOM merges or firewall migrations introduced duplicate logic
Why Shadow Rules Are a Security Risk
Impact of Shadow Rules
Detecting Shadow Rules via CLI
FortiGate does not have a built-in “shadow rule report,” but you can identify candidates manually:
show firewall policyReview policies with identical or overlapping source, destination, and service fields. Pay particular attention to any policy with hit_count=0 — a zero-hit policy that should theoretically match traffic is a shadow rule candidate.
diagnose firewall iprope show 100004Cross-reference zero-hit policies against broader rules above them in the policy table. If the broader rule’s source/destination/service is a superset of the zero-hit rule’s criteria, the zero-hit rule is likely shadowed.
Systematic Shadow Rule Detection
| Signal | Likely Cause | Action |
|---|---|---|
| hit_count=0 on a rule that should match traffic | Shadowed by a broader rule above it | Compare with rules above — disable and test |
| Duplicate source/destination/service in two policies | Migration or manual duplication | Consolidate into one rule |
| Deny rule with hit_count=0 below allow-all | Allow-all overrides the deny | Reorder or remove the allow-all |
| Service=ALL rule above a service-specific rule | Overly broad rule shadows specific rule | Narrow the service-ALL rule or reorder |
Safe Removal Process
Never delete a suspected shadow rule without first disabling and monitoring it. Follow this sequence:
- Document — Record the policy ID, name, source, destination, service, and current hit count.
- Disable — Set the policy to disabled status. Do not delete yet.
- Monitor for 30 days — Confirm no traffic disruption. Check FortiGate logs for denied traffic that should be allowed.
- Delete — If no issues arise after 30 days, delete the policy and update change records.
Using APO Tool to Surface Shadow Rule Candidates
APO Tool identifies shadow rule candidates automatically by parsing your FortiGate config file and cross-referencing policies with overlapping source/destination/service definitions — without requiring live device access or CLI expertise. The output is a prioritized list of candidates with the specific overlapping rules identified for each.
Summary
Shadow rules represent one of the most dangerous classes of FortiGate misconfigurations because they are invisible in normal operation — policies appear active in the table but are never evaluated. Systematic detection using hit count analysis and policy overlap review, combined with a disciplined disable-monitor-delete process, is the only reliable way to clean them up safely.
References & Further Reading
-
FortiGate-VM on AWS Knowledge Base3
— Fortinet Community
Source: Fortinet Community Knowledge Base —
community.fortinet.com
References & Further Reading
-
Technical Tip: How policy order works on FortiGate
— Fortinet Community -
Technical Tip: Commands to check the order of the firewall policies from CLI
— Fortinet Community -
Technical Tip: How to configure clone policy from the CLI and GUI of the FortiGate
— Fortinet Community
Source: Fortinet Community Knowledge Base —
community.fortinet.com
Choice Guide Lab 
Leave a comment