Description

This article discussesSite-to-site VPN configuration between AZURE and FortiGate. When Azure sends a ping to FortiGate then Fortigate responds and when FortiGate initiates the ping traffic Azure then it is dropped by Policy 0.

Scope

FortiGate

Solution

The traffic is being denied by policy 0 since the captive portal was enabled on the interface level.
When the authentication is disabled on the interface then traffic will move from the correct policy.

This is the error message that usually gets in the flow debug.

id=20085 trace_id=548 func=iprope_policy_group_check line=4367 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=548 func=fw_forward_handler line=599 msg="Denied by forward policy check (policy 0)"

To resolve this issue, disable the captive portal on the interface or add an exemption or enable the captive portal on the policy level.

Note:
The above issue occurred in site-to-site VPN. It can be valid for the normal traffic flow as well. Ping might work sometimes, but other services will be denied.

Another scenario where the policy will not match is when the Schedule or Service in the Policy is modified.

Related article:
Technical Tip: Error 'policy-0 is matched, act- drop'