Technical Tip: Traffic is hitting the implicit deny policy, even though the firewall policies are configured correctly to allow the traffic
| Description | This article describes how to resolve a scenario where traffic is incorrectly hitting the implicit deny when there is a policy configured to allow the traffic. |
| Scope | FortiGate. |
| Solution | The following policy should allow all traffic from the 100.64.0.202 IP to the internet.
It is recommended to configure a debug. These are the commands to properly set the debug:
diagnose debug flow filter addr <Host IP address> diagnose debug flow show iprope enable diagnose debug flow show function-name enable diagnose debug flow trace start <No. of packets to be analyzed> diagnose debug enable
For more debug options, see this KB article: Troubleshooting Tip: First steps to troubleshoot connectivity problems.
For this scenario, this was the debug configuration:
diagnose debug flow filter addr 100.64.0.202 diagnose debug flow show iprope enable diagnose debug flow show function-name enable diagnose debug flow trace start 100 diagnose debug enable
It is visible from a debug flow that the traffic is matching the implicit deny.
The policy ID 0 is generally the 'Implicit Deny'. To confirm this, edit a policy, and on the top-right side, the ID information is found:
Or enable the 'ID' option in the columns, in Firewall Policy:
It is important to check that the default objects used in that policy have not been modified. In this case, it is visible that the schedule object was modified, so the title does not match what is being applied to the policy.
Make sure the service 'ALL' default value is not modified.
The following firewall policy shows the default configuration for the service object 'ALL':
Example below: 'ALL' default service is modified with the service.
To correct all services to default, use the following command :
config firewall service custom
From the GUI: Navigate to Policy & Objects -> Services -> Choose 'ALL' service, select 'edit ' and correct the Protocol Type to IP.
Once this is corrected, it is possible to see in the debug flow that this traffic is now allowed.
It is also possible to apply the filters in forward traffic logs to see if the traffic is hitting the policy as expected: Technical Tip: Forward traffic logs with filter
Another option to validate the traffic if it hits the condition of a firewall policy is to use 'Policy Lookup'.
It can be identified easily using the iprope command. Example below, when the Firewall Address 'all' was changed to 192.168.1.0/24.
show firewall policy 2
diagnose firewall iprope list 100004 | grep "index=2" -A 15 .....
Corrected the Firewall Address 'all' to 0.0.0.0/0. The iprope command output will be below.
diagnose firewall iprope list 100004 | grep "index=2" -A 15
The iprope information will also list the service configured. In certain scenarios, information that has been missed in the GUI can be further verified via CLI output. In the GUI, the firewall policy of policy ID 41 was configured with the 'ALL' service.
CLI output:
policy index=41 uuid_idx=882 action=accept
In the above example, the first column refers to the protocol number. 6 refers to the TCP protocol. Refer to the Protocol number for the full list of protocol numbers. The third column (0,65535)->(0,65535)refers to the source and destination port range.
Based on the output of iprope information, the expected behavior is that traffic coming in from port20 to lan interface will only be permitted by firewall policy 41 if the protocol transmitted is TCP. Any other protocol will be processed by another firewall policy or denied.
The following iprope information shows the output of the default value of "ALL" service object for the same policy:
policy index=41 uuid_idx=882 action=accept
The value 0 refers to all protocols. Hence, firewall policy 41 will process traffic for all protocols.
Related articles: |
