Skip to main content
Wanderer
Wanderer
Explorer
April 7, 2022
Question

Fortigate: Why traffic is allowed by default in policy based mode?

  • April 7, 2022
  • 3 replies
  • 3004 views

Hello,

Although I have some experience with Fortigate, I think I always have worked with profile-based mode. Now I just set up a lab to test policy based mode, just to find that two PCs connected to different LANs on different FG ports can ping each other, with no existing security policies yet. Is that normal? Do I have to explicitly block the traffic?

Looks like they can ping each other, but not the WAN interface, or other addresses located on the WAN interface. FortiOS is 7.0.5

 

Thank you in advance

Daniel

3 replies

sw2090
SuperUser
sw2090
SuperUser
April 7, 2022

do you have NAT enabled on some policy? Or is there some policy allowing src any to dst any or similar?

You could do some flow debug to see which policy is being hit.

Wanderer
WandererAuthor
Explorer
April 7, 2022

Hi,

No, I just installed the FG, set the hostname, IP addresses of WAN, LAN1 and LAN2 interfaces, allowed ping on all interfaces but http/https only on the WAN, set the LAN1 as DHCP server, and changed the settings to policy based. The rest is the configuration by default (only the deny all policy exists). If it helps, it's a KVM virtualized FG, but I think it should not be important.

 

I thought about doing debugging it, but the thing is that it should not match anything. Tomorrow I will if I don't find any logic behind it.

 

Regards,

Wanderer
WandererAuthor
Explorer
April 8, 2022

Finally I found the issue. I was breaking my head, watching how the matching policy was the default one, and even though the traffic was allowed through the Fortigate.

It was an issue with the memory assigned to the VM, it was less than the recommended, but all this time, the lab worked perfectly with profile-based configurations, now I just assigned more vRAM, and everything started to work as expected.

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
April 20, 2022

Hey Wanderer,

thanks for sharing the solution with us :).

Terms & ConditionsAccessibility statement