Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aahmadbasri
Staff
Staff

Created on ‎09-25-2024 12:42 AM Edited on ‎09-25-2024 12:43 AM By Moderator

Article Id 344074

Technical Tip: Error 'policy-0 is matched, act- drop'

Description This article describes how to troubleshoot issues where traffic does not match any policy although the policy is already created.
Scope FortiGate.
Solution

In this example, a policy has been created to allow all traffic from port 2 to port 1 (internet), however, traffic does not match the policy. A ping test is done from the user (10.xx.xx.59) to 8.8.8.8 failed due to no policy matching. 

 

Debug flow showing below:

 

id=20085 trace_id=25 func=fw_forward_handler line=719 msg="Denied by forward policy check (policy 0)"

 

To troubleshoot this issue, the following can be done:

 

  1. Check the route for both source and destination.

 

get router info routing-table details 10.xx.xx.59

Routing table for VRF=0
Routing entry for 10.xx.xx.0/20
Known via "connected", distance 0, metric 0, best
* is directly connected, port2

 

get router info routing-table details 8.8.8.8

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 10.xx.xx.254, via port1

 

  1. Use the policy Lookup to confirm if the existing policy will be matched. From the below policy lookup, the traffic does not match any policy. 

     

    KB_Sept_2_1.png

     

     

  2. Review the policy. The expected policy has been configured from port2 to port1 with schedule ALWAYS and service ALL.

     

     

config firewall policy
    edit 1
        set name "InternetPolicy"
        set uuid f3cf2668-6e3f-51ef-2565-4a69cfb8e92d
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set ssl-ssh-profile "certificate-inspection"
        set logtraffic all
        set nat enable
    next
end

 

Verify that all named object is configured correctly. This can be done by hovering on each object on the policy. 

 

KB_Sept_2_2.png


KB_Sept_2_3.png

 

Noticed that the service ALL has been changed to specific port which cause traffic not matching the policy. 

 

KB_Sept_2_4.png

 

Do ensure that proper name is being used to represent its object. In this example, service is named as ALL but it is only configured for some specific ports.

This could cause confusion when configuring the policies and troubleshooting policy related issues. 
409
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.