Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sprasanta
Staff
Staff

Created on ‎03-02-2020 06:55 AM Edited on ‎08-21-2024 04:00 AM By Moderator

Article Id 191061

Technical Tip: Traffic dropped by 'implicit deny policy-0' although a matching firewall policy exists

Description

 

This article describes that, sometimes, the traffic is dropped by FortiGate and the debug flow shows that traffic is getting denied due to no matching firewall policy (policy id-0) although a matching firewall policy exists.


The traffic does not match the firewall policy due to the modification of the default objects like:

  • Address object.
  • Schedule.
  • Service.


When the packet does not match the configured firewall policy, take debug flow with the specific source and destination IP addresses in the filter along with specific TCP/UDP port numbers. Refer to the below link that explains how to set filters within a debug flow:
Troubleshooting Tip: First steps to troubleshoot connectivity problems to or through a FortiGate wit...


After enabling the debug flow, generate traffic to identify the issue. The debug flow will report that the packet is dropped by hitting the implicit deny policy id-0. However, there is a matching IPv4 policy configured on FortiGate to allow the traffic, and still, the traffic is hitting the implicit deny policy. In such scenarios, verify each object under the firewall policy that is supposed to allow the traffic.

 

Due to misconfiguration or a requirement within the company, the network administrator might have modified the 'Service' named 'ALL' to allow a specific port or a range of ports. If the 'Service' named 'ALL' is not configured to allow traffic for all ports, traffic will be dropped by hitting deny policy id-0.

 

The same behavior is observed when the other default objects like schedule and Addresses are modified by the FortiGate Admin.

 

Find the snapshot below to find how a default 'ALL' objects look like:

 

Default Service: ALL
 
Default Schedule: always
 
Default Address Object: all


Solution

 

 
Default Schedule: always.
 
 
 
 
Default Address Object: all.
 
 
 
Manually verify the objects:

'ALL' by selecting 'EDIT' or by verifying the inside configuration and making the change to default or based on the requirement.

 

If the address object/schedule and service options do not match the screenshots above, make the desired changes to allow the traffic to hit the respective firewall policy on FortiGate.

29711
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.