Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff

Created on ‎05-08-2020 03:03 AM Edited on ‎12-19-2024 09:55 PM By Community Manager

Article Id 197968

Troubleshooting Tip: Flow filter log message 'Denied by endpoint check'

Description


This article describes a potential root cause for a communication problem through a FortiGate and debug flow message shows 'Denied by endpoint check'.

 

Scope

 

FortiGate.

Solution


Assume the following scenario.
                                                          
[ 10.5.52.54 ] ------------  wan2 [FGT ] wan1 ------- [ internet ]

The FortiGate has to allow Firewall policies from wan2 to wan1.

Problem: 10.5.52.54 does not able to reach any network through fortigate.

Taking a debug flow shows the following:

 

diag debug enable
diag debug flow filter add 10.5.52.54
diag debug flow trace start 1000

id=20085 trace_id=36 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=6, 10.5.52.54:52467->142.0.160.17:443) from wan2. flag [S], seq 4096242706, ack 0, win 64240"
id=20085 trace_id=36 func=init_ip_session_common line=5625 msg="allocate a new session-016ee29e"
id=20085 trace_id=36 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.5.31.254 via wan1"
id=20085 trace_id=36 func=fw_forward_handler line=689 msg="Denied by endpoint check"

 

Verification.
Check source IP is added to banned IP list or quarantined in FortiGate:


dia user quarantine list
src-ip-addr       created                  expires                  cause
10.5.52.54        Fri May  1 16:29:18 2020 indefinite               Administrative

For versions above v7.4.0, use below command:


diagnose user banned-ip list


If the source IP is quarantined, remove source IP from quarantine list:

 

dia user quarantine delete src4 x.x.x.x                                   <----- Replace x.x.x.x with source IP of PC.

 

For versions above v7.4.0, use the below command:


diagnose user banned-ip delete src4 <source-ip>

 

To verify from GUI, Go to Monitor -> Quarantine Monitor , select source IP, and delete the entry.


  
In the 6.4 version, the quarantine source address list is shown under Dashboard -> User & Devices -> Quarantine Widget.
Expand the Widget to get the list of quarantine IP’s.
 


To verify what could have triggered to quarantine of those IP addresses, it can be viewed in Logs and Report -> Security Events -> Anomaly Logs'.

More information on anomaly logs can be viewed here:

Technical Tip: Explaining the important fields in Anomaly logs

3789
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.