Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Gab_FTNT
Staff
Staff

Created on ‎11-20-2024 09:46 PM

Article Id 358970

Technical Tip: Policy Match lookup tool not matching correct policy or hitting default implicit deny

Description This article describes a scenario where policy match lookup is not selecting the correct policy or hit the implicit denied policy.
Scope FortiGate.
Solution Policy lookup is a GUI tool used to lookup which policy will be used to allow or deny specific traffic.
The tool is available under Policy & Objects -> Firewall Policy -> Policy Match

The following policy example uses a specific source, destination, and specific services.

Policy15.PNG
The SFTP Service has been configured to use a specific source port as follows.

Untitled.png
Using the Policy lookup without specifying the source port used in the service will result in hitting the Implicit_Deny Policy.

Policy not matched.PNGmatchedpolicydeny.PNG
Even though it is marked as 'Optional' in the GUI, the Service has been set with a specific source port, therefore the only way to match the Service is to specify a source port that is within the range that the Service has been assigned.

1000.PNGMatch.PNG
216
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.