Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff & Editor
Staff & Editor

Created on ‎05-05-2020 11:43 PM Edited on ‎06-24-2025 10:49 PM By Community Manager

Article Id 197688

Troubleshooting Tip: 'Deny: policy violation' in logs, IP denied in an allow policy

Description

 

This article describes an issue that occurs when an IP address is denied in an allowed policy. If doing a sniffer check, the traffic comes, but there is no forward/exit.

If doing flow debug, notice 'Denied by endpoint check' as mentioned in this article, Troubleshooting Tip: Flow filter log message 'Denied by endpoint check'.

 

Scope

 

FortiGate.


Solution

 

Let’s consider that the FortiGate policy is configured to allow traffic from one interface to another.
Incoming traffic matches all the conditions of the policy.

JeanPhilippe_P_0-1750830544649.png

 


In the logs, the action is showing as 'Deny: policy violation', and Communication from source to destination is failing.

JeanPhilippe_P_1-1750830544651.png

 

 

One of the reasons for this log is source IP is added as 'BAN IP' or quarantined in FortiGate, and hence the source IP needs to be whitelisted to allow the traffic.
This could be a result of the DoS policy.


Go to Monitor -> Quarantine Monitor, select the source IP, and delete the entry.

 

Related Article:
Troubleshooting Tip: Flow filter log message 'Denied by endpoint check'

40299
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.