Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pavankr5
Staff
Staff

Created on ‎08-02-2023 11:23 PM

Article Id 266701

Technical Tip: Cannot see policy in policy lookup even though policy is configured for incoming traffic

Description This article describes the case when policy lookup matches the implicit deny policy and no explicit policy exists from the source interface 'src-interface' to the destination interface 'dst-interface' as determined by a route lookup to 'x.x.x.x'.
Scope FortiGate.
Solution
 

image.png

 

Scenario:

Traffic that is coming from Source IP 172.x.x.x should reach IP 10.x.x.x will NAT to 192.x.x.x.

 

  • Take a debug to see if it is hitting the policy (in this scenario traffic did not hit the correct firewall policy).
  • Check if there are multiple VIPs configured with the same destination IP.

 

Solution: Remove duplicate VIP.

 

Note: If a Virtual IP (VIP) is configured and the destination IP matches the VIP, FortiGate will apply the VIP policy (if one is configured for the VIP).
356
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.