Skip to main content
iainhs
iainhs
Explorer
February 20, 2026
Question

Fortigate 60F - Devices on same interface hitting different policies help!

  • February 20, 2026
  • 2 replies
  • 818 views

Hi all,

I’m running into a weird issue with our FortiGate 60F and could use some guidance. Here’s the context:

We’re planning to shut down our on-prem DNS server and move some devices to use public DNS at one of our sites. The problem is that, even though all affected devices are on the same subnet/interface and show similar IP config, some are hitting the implicit deny policy while others are hitting my LAN-to-WAN policy.

Here’s what I’ve observed. Devices that can’t reach public DNS can still browse the web using our on-prem DNS server. This server has conditional forwarders pointing to 8.8.8.8and 8.8.4.4. I have a firewall policy list as follows:

  1. LAN-to-Netsweeper – forwards all HTTP/HTTPS traffic to our web filtering provider.

  2. LAN-to-WAN – should catch everything else, including traffic from our internal interface 172.24.XX.XX/22.

The problem is that, for devices on the same subnet:

  • Some hit the LAN-to-WAN policy as expected.

  • Some hit the implicit deny instead.

I’ve also attached a screenshot of the interface settings.

I’m trying to understand why the firewall is treating these devices differently even though they’re on the same subnet/interface. Could this be related to DNS traffic, session handling, or policy order? Any advice or things I should check would be greatly appreciated.

 

Please let me know if any further information is required.

 

Fortigate Internal.png

Fortigate Policy List.png

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
February 20, 2026

hi,

for this "LAN-to-Netsweeper – forwards all HTTP/HTTPS traffic to our web filtering provider." do you have a policy route that instructs hosts in LAN - 172.24.X.X/24 to forward all HTTP/HTTPS to the tunnel ?

if you have just a default route towards the tunnel it will be dropped as expected, make sure that you create a route policy and specify that HTTP/HTTPS traffic should only be routed towards it.

 

"jack of all trades, master of none"
    iainhs
    iainhsAuthor
    Explorer
    February 20, 2026

    Hi Funky,

     

    Thanks for the quick response! I've posted the policy routes below so yes all HTTP/HTTPS traffic is being forwarded to the tunnel as expected however some of the clients on the 'internal' interface are not able to use public DNS they are having to use our on prem DNS server (which I want to shut down). Should all the clients on the internal interface be able to reach public DNS as they should all be included in the LAN to WAN policy however some are going into the impicit deny but I thought that the Firewall should see them the same as they are in the same subnet.

     

     

    policy routes 2.png

     

     

     

     

     

    funkylicious
    SuperUser
    funkylicious
    SuperUser
    February 20, 2026

    i trust your settings since the protocol/destination ports arent visibile in the policy routes.

     

    feel free to run this CLI command to check what policy would be matched to 8.8.8.8 set as a DNS server,

    diag firewall iprope lookup SRC_IP 12345 8.8.8.8 53 17 internal policy - replace SRC_IP with a IP of a host.

     

    L.E. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Policy-Based-Routing-example-HTTP-HTTPS/ta-p/197080 

    "jack of all trades, master of none"
    iainhs
    iainhsAuthor
    Explorer
    February 20, 2026

    Hi,

     

    Okay so I ran the diag from a host that is working fine (my remote machine)!

    The result is below

    forti diag 2 - working.png

    And this is the result from a host that can't reach public dns

    forti diag 1 - not working.png

    Terms & ConditionsAccessibility statement