FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 266701
Description This article describes the case when policy lookup matches the implicit deny policy and no explicit policy exists from the source interface 'src-interface' to the destination interface 'dst-interface' as determined by a route lookup to 'x.x.x.x'.
Scope FortiGate.




Traffic that is coming from Source IP 172.x.x.x should reach IP 10.x.x.x will NAT to 192.x.x.x.


  • Take a debug to see if it is hitting the policy (in this scenario traffic did not hit the correct firewall policy).
  • Check if there are multiple VIPs configured with the same destination IP.


Solution: Remove duplicate VIP.


Note: If a Virtual IP (VIP) is configured and the destination IP matches the VIP, FortiGate will apply the VIP policy (if one is configured for the VIP).