Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
guptas
Staff
Staff

Created on ‎03-31-2021 07:27 AM

Article Id 194737

Technical Tip: Traffic denied by Policy 0

Description
Site to Site VPN configuration between AZURE and Fortigate.

When the Azure send ping to FortiGate then Fortigate responded and when FortiGate initiated the ping traffic Azure then its drop by Policy 0.

Solution
The traffic being denied by policy 0 since captive portal was enabled on interface level.
When the authentication is disabled on interface then traffic will move from correct policy.

This the error message usually you will get in the flow debug.
id=20085 trace_id=548 func=iprope_policy_group_check line=4367 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=548 func=fw_forward_handler line=599 msg="Denied by forward policy check (policy 0)"
To resolve this issue, disable the captive portal on interface or add exemption or enable the captive portal on policy level.

Note.
Above issue occurred in Site to Site VPN.
It can valid for the normal traffic flow as well.

7297
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.