Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sramesh1
Staff
Staff

Created on ‎11-25-2025 07:39 AM

Article Id 420187

Troubleshooting Tip: Application Traffic denied even though there is firewall policy added to allow traffic

Description This article explains an issue where application traffic failing even though there is Firewall policy in place.
Scope FortiGate, FortiOS 6.x / 7.x, Firewall policy configuration, custom service objects.
Solution

Symptoms:

 

Administrators may observe the following in the traffic logs:

  • Action: Deny.
  • Policy: 0 (Implicit Deny).
  • Destination port not listed in any allow policy.
  • Application traffic failing to reach the server.

 

Even though an allow policy exists for the source and destination addresses, the traffic continues to match the implicit deny rule.

 

Cause: This issue typically occurs when the application uses non-standard, dynamic, or vendor-specific ports that administrators may not be aware of.

 

As a result:

  • The traffic did not match any existing allow policy.
  • It was forwarded to the implicit deny rule, which drops all unmatched traffic.
  • Logs displayed Deny actions for the affected sessions.

 

Identifying Unknown/Unlisted Ports:

 

Use the following methods to find the exact port required by the application:

 

  1. Check traffic logs for dropped session details.
  2. Use sniffer/capture:

 

diagnose sniffer packet any 'host <server_IP>' 4

 

 

  1. Vendor application documentation.
  2. Debug flow to extract the destination port.

 

 

Example: A third-party application uses TCP port 9005 for agent communication. Since this port was not included in any service group within the firewall rule, traffic failed and hit the implicit deny policy.

 

Solution:

 

  1. Create a custom service for the required port.

 

Navigate to: Policy & Objects -> Services -> Create New.

 

Specify: 

  • Service Name.
  • Protocol (TCP/UDP).
  • Destination port or port range.

 

CLI example:

 

config firewall service custom
    edit "<custom_service>"
        set tcp-portrange <port_number>
    next
end

 

  1. Add the Service to the Relevant Firewall Policy.

Navigate to: Policy & Objects -> Firewall Policy -> Edit Policy -> Services. Add the newly created service to the allowed services list.

 

CLI example:

 

config firewall policy
    edit <policy_id>
        append service "<custom_service>"
    next
end

 

  1. Verify Traffic Flow.

After updating the policy:

  • New sessions should match the correct firewall policy.
  • Logs should show Accept rather than Deny.
  • The application should operate normally.

 

Verification:

 

Use the following methods to confirm the fix:

  • Forward traffic logs to verify policy match and action.
  • Session list ('diagnose sys session list') to validate active sessions
  • Packet capture if further confirmation is needed.

 

Conclusion:

Traffic may be denied by the implicit deny rule when the application uses a port that is not included in any firewall policy. Creating the required custom service and adding it to the appropriate allow policy resolves the issue and ensures the traffic is correctly matched and permitted.
90
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.