New Member

Solved

Denied by forward policy check (policy 0)

Forum|Forum|11 years ago
June 3, 2015
8 replies
76131 views

Hi, I have this reject for a new rule wich use both NAT (source and destination) Rule : edit 4465 set srcintf "any" set dstintf "any" set srcaddr "153.65.21.20" set dstaddr "vip_10.118.247.251-to-192.168.60.219-5901" "vip_10.118.247.251-to-192.168.60.219-5902" set action accept set schedule "always" set service "tcp_5901" "tcp_5902" set logtraffic all set nat enable set ippool enable set poolname "ippool_10.118.58.217" We want to nat

153.65.21.20 --> 10.118.247.251 into:

10.118.58.217 --> 192.168.60.219 Logs : 2015-05-20 15:10:41 id=13 trace_id=4270 msg="vd-PAEv1 received a packet(proto=6, 153.65.21.20:12765->10.118.247.251:5902) from fmc1/2.305. flag S, seq 4222833505, ack 0, win 5260" 2015-05-20 15:10:41 id=13 trace_id=4270 msg="allocate a new session-f767ce2f" 2015-05-20 15:10:41 id=13 trace_id=4270 msg="find SNAT: IP-192.168.60.219(from IPPOOL), port-49052" 2015-05-20 15:10:41 id=13 trace_id=4270 msg="VIP-192.168.60.219:49052, outdev-fmc1/2.305" 2015-05-20 15:10:41 id=13 trace_id=4270 msg="DNAT 10.118.247.251:5902->192.168.60.219:49052" 2015-05-20 15:10:41 id=13 trace_id=4270 msg="find a route: flags=00000000 gw-192.168.76.54 via fmc1/2.300" 2015-05-20 15:10:41 id=13 trace_id=4270 msg="use addr/intf hash, len=147" 2015-05-20 15:10:41 id=13 trace_id=4270 msg="Denied by forward policy check (policy 0)" I don't understand why we hit a policy 0 and not the 4465. i have check the bug "the service ALL had been changed to protocol 6 instead of 0", it seems to be OK on the GUI interface and with the command "show firewall service custom ALL" Thanks if anyone have an idea.

Best answer by Johan_Witters

Hi Zak,

I just tested your configuration on my Fortigate at home: It also gives my a "denied by forward policy check" due to no matching policy. When I change the allowed services in my policy from "tcp_5902" to "tcp_49052", it matches the correct policy and the packets are NATted and forwarded correctly.

It did not match the policy previously as the allowed destination port is 5902, but the actual packet already has the destination port NATted to 49052..

Dave_Hall

New Member

Hi Zak.

What are you trying to accomplish? Kinda looks like you are trying to setup some sort of VNC port forward. Make sure the source ports on those "tcp_5901" "tcp_5902"" services are 1-65535.

Can you post your VIPs?

zakAuthor

New Member

Hi, It's for access to a loadbalancer, and we are using VIPs and natpool because the ports/IP are not allowed on the client's network. The services seem ok : edit "tcp_5901" set tcp-portrange 5901:0-65535 edit "tcp_5902" set tcp-portrange 5902:0-65535 VIPs of the rule : edit "vip_10.118.247.251-to-192.168.60.219-5901" set extip 10.118.247.251 set extintf "any" set portforward enable set color 1 set mappedip 192.168.60.219 set extport 5901 set mappedport 49051 edit "vip_10.118.247.251-to-192.168.60.219-5902" set extip 10.118.247.251 set extintf "any" set portforward enable set color 1 set mappedip 192.168.60.219 set extport 5902 set mappedport 49052

Dave_Hall

New Member

Don't have a spare Fortigate around at the moment to test the code out, but I think the problem is the exip defined in the VIP section is where the fgt is choking. If you set the source interface on the VIP, you should be able to use a wildcard source IP (which is not allowed on "any" interface).

Code could be similar to this, but someone here should validate it..like I said, I don't have a spare fgt on hand to valid it myself.

config firewall address
    edit "Source-153.65.21.20"
        set subnet 153.65.21.20 255.255.255.255
    next
end

config firewall service custom
    edit "VNC-5901-5902"
        set tcp-portrange 5901-5902
    next
end

config firewall ippool
    edit "IP-Pool-10.118.58.217"
        set type one-to-one
        set startip 10.118.58.217
        set endip 10.118.58.217
    next
end

config firewall vip
    edit "vip-10.118.247.251"
        set extintf "WAN1"
        set portforward enable
        set mappedip 192.168.60.219
        set extport 5901-5902
        set mappedport 49051-49052
    next
end

config firewall policy
    edit 0
        set srcintf "WAN1"
        set dstintf "any"
        set srcaddr "Source-153.65.21.20"
        set dstaddr "vip-10.118.247.251"
        set action accept
        set schedule "always"
        set service "VNC-5901-5902"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "IP-Pool-10.118.58.217"
    next
end

Johan_Witters

New Member

It might be related to the fact the vip is changing the service ports.

Have you tried by changing the allowed sevice to "any"?

zakAuthor

New Member

THanks for the reply, i will test with the interface and service to any.

emnoc

New Member

You could do that but remember with DNAT the route/policy is looked up after the DNAT hence this is why you have the following;

2015-05-20 15:10:41 id=13 trace_id=4270 msg="VIP-192.168.60.219:49052, outdev-fmc1/2.305" 2015-05-20 15:10:41 id=13 trace_id=4270 msg="DNAT 10.118.247.251:5902->192.168.60.219:49052" 2015-05-20 15:10:41 id=13 trace_id=4270 msg="find a route: flags=00000000 gw-192.168.76.54 via fmc1/2.300"

What is gateway 192.168.76.54 and the src ippool range that your using?

What I would do is dropped the SNAT and validate that your VIP is working at mapping the extport to the inside. I'mve sure this would work if you remove the src poolname for this firewall-policy and conduct a 2nd diag debug flow

If that works than you know it's a issue with the above and the SRC for the outside client.

Johan_Witters

New Member

zak wrote:

2015-05-20 15:10:41 id=13 trace_id=4270 msg="find SNAT: IP-192.168.60.219(from IPPOOL), port-49052"

Could you post the IP pool configuration? I would expect the SNAT to report a different IP

zakAuthor

New Member

Hi,

This is the ippool :

edit "ippool_10.118.58.217" set startip 10.118.58.217 set endip 10.118.58.217 set arp-reply disable

Johan_WittersAnswer

New Member

Hi Zak,

I just tested your configuration on my Fortigate at home: It also gives my a "denied by forward policy check" due to no matching policy. When I change the allowed services in my policy from "tcp_5902" to "tcp_49052", it matches the correct policy and the packets are NATted and forwarded correctly.

It did not match the policy previously as the allowed destination port is 5902, but the actual packet already has the destination port NATted to 49052..

zakAuthor

New Member

Hi,

Thanks i will do this modification and ask for a new test, did you let the source interface to "any" ?

Johan_Witters

New Member

Yes, I did... I used the complete configuration like you posted it, except for changing the IP's and the ports to match my network..

For a security point of view it is not adviced to use "any", but it might be necessary due to network design..

zakAuthor

New Member

OK i have put back my original configuration with the new ports, i will let you know as soon as a new test will be possible.

Edit : It's ok with the natted ports on the rule, the policy has matched correctly, thanks a lot for your help !

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded