Created on 03-02-2020 06:55 AM Edited on 11-28-2024 06:03 AM By Jean-Philippe_P
Description
This article describes that, sometimes, the traffic is dropped by FortiGate and the debug flow shows that traffic is getting denied due to no matching firewall policy (policy id-0) although a matching firewall policy exists.
The traffic does not match the firewall policy due to the modification of the default objects like:
When the packet does not match the configured firewall policy, take debug flow with the specific source and destination IP addresses in the filter along with specific TCP/UDP port numbers. Refer to the below link that explains how to set filters within a debug flow:
Troubleshooting Tip: First steps to troubleshoot connectivity problems to or through a FortiGate wit...
After enabling the debug flow, generate traffic to identify the issue. The debug flow will report that the packet is dropped by hitting the implicit deny policy id-0.
id=20085 trace_id=548 func=iprope_policy_group_check line=4367 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=548 func=fw_forward_handler line=599 msg="Denied by forward policy check (policy 0)"
However, there is a matching IPv4 policy configured on FortiGate to allow the traffic, and still, the traffic is hitting the implicit deny policy. In such scenarios, verify each object under the firewall policy that is supposed to allow the traffic.
Due to misconfiguration or a requirement within the company, the network administrator might have modified the 'Service' named 'ALL' to allow a specific port or a range of ports. If the 'Service' named 'ALL' is not configured to allow traffic for all ports, traffic will be dropped by hitting deny policy id-0.
The same behavior is observed when the other default objects like schedule and Addresses are modified by the FortiGate Admin.
Find the snapshot below to find how a default 'ALL' objects look like:
Default Service: ALL
Default Schedule: always
Default Address Object: all
Solution
'ALL' by selecting 'EDIT' or by verifying the inside configuration and making the change to default or based on the requirement.
If the address object/schedule and service options do not match the screenshots above, make the desired changes to allow the traffic to hit the respective firewall policy on FortiGate.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.