Skip to main content
Giovanna
Giovanna
Explorer II
March 22, 2025
Solved

Firewall Policies created not working

  • March 22, 2025
  • 3 replies
  • 4200 views

I did a simple exercise where I connected the two PCs to the physical FortiGate (to port1 and port2). Then I created a rule where I set the incoming traffic to port1 and outgoing traffic to port2 (with all other parameters set to 'all'). I also created another rule to permit the reverse traffic. However, all traffic is being denied due to the implicit deny rule. Does anyone have a suggestion regarding this configuration? I can ping the FortiGate from the PCs. The FortiGate is not registered yet (I did the same configuration in VMware Workstation with the FortiGate running on a VM, and it worked).

Best answer by Giovanna

Dear all, 

 

I did reset to the factory configuration, and didn't have any problems after. Thank you very much for your support!

3 replies

AEK
SuperUser
AEK
SuperUser
March 22, 2025

In the traffic logs, double click on a deny log entry and post a screenshot.

Also please post a screenshot of the related firewall rule.

AEK
    Giovanna
    GiovannaAuthor
    Explorer II
    March 25, 2025

    Thank you! Looks like the fortigate need some time to upload the configuration modification, day after, the policies worked. Do you maybe know why this happend? It takes more then 1 hour to take in the new configuration..

    AEK
    SuperUser
    AEK
    SuperUser
    March 25, 2025

    This is an expected behavior if you keep the session open.

    When you change a policy, the effect is immediate on the "new sessions", but any existing open session will continue to work until it is closed bu client or server.

    AEK
      esalija
      Staff
      esalija
      Staff
      March 23, 2025

      Dear @Giovanna ,

      Please run the debug command to check the traffic flow and the firewall policy that is matching:

      # diagnose debug disable

      # diagnose debug flow filter addr <Source_IP> <Destination_IP> and

      # diagnose debug flow show function-name enable

      # diag debug flow show iprope enable

      # diagnose debug console timestamp enable

      # diagnose debug flow trace start 1000

      # diagnose debug enable


      Best regards,
      Erlin

        Giovanna
        GiovannaAuthor
        Explorer II
        March 25, 2025

        Thank you! Debug didn't show any issues, looks like fortigate takes time to load the configuaration modifications, do you mabye know why this happends? It takes more then 1 hour

        esalija
        Staff
        esalija
        Staff
        March 25, 2025

        Dear @Giovanna,

        Thank you for the reply!

        Did you notice the traffic that is flowing into FGT from Sniffer commands?

        # diag sniffer packet any "host <Source_IP> and host <Destination_Ip>" 4 0 l

         

        Best regards,

        Erlin

          AEK
          SuperUser
          AEK
          SuperUser
          March 26, 2025

          Hi Giovana

          Jerry and Salija are right, if you share "diag debug flow" output it will help us to help you.

          AEK
          Giovanna
          GiovannaAuthorAnswer
          Explorer II
          April 1, 2025

          Dear all, 

           

          I did reset to the factory configuration, and didn't have any problems after. Thank you very much for your support!

            Terms & ConditionsAccessibility statement