DENIED by forward policy check (policy 0)

Forum|Forum|8 years ago
August 23, 2017
1 reply
17812 views

Hello Team

I have two sub-interfaces one connected oneto a Wifi Network 10.15.242.X ,and other in a wired network 10.38.X.X I have made an specific rule to permit the traficc to do a ping between networks.

And not match in any rule and the traffic is denied by the implicit rule all the time ...

I have made a Sniffer and a trace in the forti ( see images attached) ,and i see in the tcpdump how the trafffic reach the default gateway in the fortigate 10.15.242.1. but not the PC conected in the IP 10.15.242.2 allways denied by policy 0

I have a Fortigate 1500D With firmware 5.4.4 Version

Any suggestion ? i am going crazy ..

capture.jpg

ede_pfau

SuperUser

Can you please supply the config of the interfaces involved (conf sys int)?

emnoc

New Member

What we really need is the fwpolicy, Your screenshost conflicts with the interfaces names

MSSI-INT2 vrs INT_USER

Did you happen to typo the wrong interface_name ? Also on the diag sniffer packet, a suggetsion

1: specify the interface name

2: use the 4 value to double check ALL interface

e.g

diag sniffer packet MSSI-INT2 " host 10.15.242.2 and icmp" 4

That would be better than "ANY" and you can look at the traffic from srcintf or dstintf .

So double firewall-policy and than routing.

just a tip ;)

Elena_MadrigalAuthor

New Member

I think the problem is de routing between VDOMs, the network 10.15.242.X is in the VDOM-Wifi and the 10.38.23.X is a network in the VDOM-Root

When a execute a ping from de VDOM wifi to the gateway 10.15.242.1 i can reach susccessfully. becasue is direcctly conected, but when i execute a ping to 10.15.242.2 is when the ping fails.

However in both cases i can see the traffifc in the Diagnose sniffer packet ...

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded