Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadbasri
Staff
Staff

Created on ‎09-25-2024 12:42 AM Edited on ‎07-21-2025 01:03 AM By Community Manager

Article Id 344074

Technical Tip: Error 'policy-0 is matched, act- drop'

Description This article describes how to troubleshoot issues where traffic does not match any policy although the policy is already created.
Scope FortiGate.
Solution

In this example, a policy has been created to allow all traffic from port 2 to port 1 (internet), however, traffic does not match the policy. A ping test is done from the user (10.xx.xx.59) to 8.8.8.8 failed due to no policy matching. 

 

Debug flow showing below:

 

id=65308 trace_id=2 func=__iprope_check_one_policy line=2256 msg="gnum-100004 policy-XXX is not active"
id=65308 trace_id=2 func=__iprope_check_one_policy line=2256 msg="gnum-100004 policy-XXX is not active"

...
id=65308 trace_id=2 func=__iprope_check_one_policy line=2251 msg="policy-0 is matched, act-drop"

...
id=65308 trace_id=2 func=fw_forward_handler line=837 msg="Denied by forward policy check (policy 0)"

 

To troubleshoot this issue, the following can be done:

 

  1. Check the route for both source and destination.

 

get router info routing-table details 10.xx.xx.59

Routing table for VRF=0
Routing entry for 10.xx.xx.0/20
Known via "connected", distance 0, metric 0, best
* is directly connected, port2

 

get router info routing-table details 8.8.8.8

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 10.xx.xx.254, via port1

 

  1. Use the policy Lookup to confirm if the existing policy will be matched. From the below policy lookup, the traffic does not match any policy. 

     

    KB_Sept_2_1.png

     

     

  2. Review the policy. The expected policy has been configured from port2 to port1 with schedule ALWAYS and service ALL.

     

config firewall policy
    edit 1
        set name "InternetPolicy"
        set uuid f3cf2668-6e3f-51ef-2565-4a69cfb8e92d
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set ssl-ssh-profile "certificate-inspection"
        set logtraffic all
        set nat enable
    next
end

 

Verify that all named object is configured correctly. This can be done by hovering on each object on the policy. 

 

KB_Sept_2_2.png


KB_Sept_2_3.png

 

The service ALL has been changed to a specific port which causes traffic not to match the policy. 

 

KB_Sept_2_4.png

 

Ensure that the proper name is being used to represent its object. In this example, the service is named 'ALL', but it is only configured for some specific ports.


If the policy still does not match after confirming the steps mentioned above, hover over the Schedule 'always' in the policy and make sure it has all seven days with no scheduled time set. 

 

In the following example, Saturday and Sunday are missing. The time is only between 9:00 AM to 12:00 PM

Bad Schedule.png


The correct Schedule looks like this:

Schedule.png

 

This could be confusing when configuring the policies and troubleshooting policy-related issues. 
1718
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.