Description
This article describes a potential root cause for a communication problem through a FortiGate and debug flow message shows 'Denied by endpoint check' or 'Rerouted by end point ip filter check'
Scope
FortiGate.
Solution
Assume the following scenario: [ 10.5.52.54 ] ------------ wan2 [FGT] wan1 ------- [internet].
The FortiGate has to allow Firewall policies from wan2 to wan1.
Problem: 10.5.52.54 is not able to reach any network through FortiGate.
Taking a debug flow shows the following outputs
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug flow filter add <IP_address>
diagnose debug flow trace start 1000
id=20085 trace_id=36 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=6, 10.5.52.54:52467->142.0.160.17:443) from wan2. flag [S], seq 4096242706, ack 0, win 64240"
id=20085 trace_id=36 func=init_ip_session_common line=5625 msg="allocate a new session-016ee29e"
id=20085 trace_id=36 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.5.31.254 via wan1"
id=20085 trace_id=36 func=fw_forward_handler line=689 msg="Denied by endpoint check"
Or, in some cases:
2025-02-27 21:10:27 id=65308 trace_id=1 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=6, 15.229.95.152:19279->186.31.140.179:80) tun_id=0.0.0.0 from port5. flag [S], seq 3220690569, ack 0, win 65535"
2025-02-27 21:10:27 id=65308 trace_id=1 func=init_ip_session_common line=6070 msg="allocate a new session-1a73b146"
2025-02-27 21:10:27 id=65308 trace_id=1 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.10.2 via LACP_SWCORE"
2025-02-27 21:10:27 id=65308 trace_id=1 func=fw_forward_handler line=885 msg="Rerouted by end point ip filter check socktype 4 sockport 1012"
To stop the debugs:
diagnose debug disable
Verification.
Check source IP is added to the banned IP list or quarantined in FortiGate:
diagnose user quarantine list
src-ip-addr created expires cause
10.5.52.54 Fri May 1 16:29:18 2020 indefinite Administrative
For versions above v7.4.0, use below command:
diagnose user banned-ip list
If the source IP is quarantined, remove the source IP from the quarantine list:
diagnose user quarantine delete src4 x.x.x.x <----- Replace x.x.x.x with source IP of PC.
For versions above v7.4.0, use the below command:
diagnose user banned-ip delete src4 <source-ip>
To verify from the GUI, go to Monitor -> Quarantine Monitor, select the source IP, and delete the entry.
In the 6.4 version, the quarantine source address list is shown under Dashboard -> User & Devices -> Quarantine Widget.
Expand the Widget to get the list of quarantine IPs.
Expand the Widget to get the list of quarantine IPs.
To verify what could have triggered to quarantine of those IP addresses, it can be viewed in Logs and Reports -> Security Events -> Anomaly Logs.
More information on anomaly logs can be viewed here:
Technical Tip: Explaining the important fields in Anomaly logs
