Troubleshooting Tip: 'Deny: policy violation' in logs, IP denied in an allow policy

Description

This article describes an issue that occurs when an IP address is denied in an allowed policy. If doing a sniffer check, the traffic comes, but there is no forward/exit.

If doing flow debug, notice 'Denied by endpoint check' as mentioned in this article, Troubleshooting Tip: Flow filter log message 'Denied by endpoint check'.

Scope

FortiGate.

Solution

Let’s consider that the FortiGate policy is configured to allow traffic from one interface to another.
Incoming traffic matches all the conditions of the policy.

 

In the logs, the action is showing as 'Deny: policy violation', and Communication from source to destination is failing.

 

 

One of the reasons for this log is source IP is added as 'BAN IP' or quarantined in FortiGate, and hence the source IP needs to be whitelisted to allow the traffic.
This could be a result of the DoS policy.

Go to Monitor -> Quarantine Monitor, select the source IP, and delete the entry.

Related Article:
Troubleshooting Tip: Flow filter log message 'Denied by endpoint check'