Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff
Staff

Created on ‎08-06-2024 10:45 AM Edited on ‎01-14-2025 08:37 AM By Staff

Article Id 330656

Troubleshooting Tip: FortiGate Operating in NAT Mode does not allow Broadcast Traffic destined to 255.255.255.255

Description

This article describes the case when traffic destined to the limited broadcast address 255.255.255.255 is dropped by the FortiGate with the error 'iprope_in_check() check failed on policy 0, drop'.
Scope FortiGate.
Solution

By design, FortiGate operating in NAT mode does not allow/forward the traffic destined to 255.255.255.255. As a result, the following error is expected to appear in the debug flow traces.

id=20085 trace_id=3955 func=print_pkt_detail line=5851 msg="vd-root:0 received a packet(proto=17, 10.10.79.2:5050->255.255.255.255:5050) tun_id=0.0.0.0 from internal3. "
id=20085 trace_id=3955 func=__iprope_check line=2272 msg="gnum-100009, check-5f02aa98"
id=20085 trace_id=3955 func=iprope_policy_group_check line=4753 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=3955 func=init_ip_session_common line=6023 msg="allocate a new session-00024692, tun_id=0.0.0.0"
id=20085 trace_id=3955 func=iprope_dnat_check line=5337 msg="in-[internal3], out-[]"
id=20085 trace_id=3955 func=iprope_dnat_tree_check line=827 msg="len=1"
id=20085 trace_id=3955 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-100000 policy-31"

id=20085 trace_id=3955 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
id=20085 trace_id=3955 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
id=20085 trace_id=3955 func=__iprope_check line=2291 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=20085 trace_id=3955 func=iprope_policy_group_check line=4753 msg="after check: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=20085 trace_id=3955 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"

The setting 'set broadcast-forward enable' is not applicable for forwarding the traffic destined to 255.255.255.255.

The command 'set broadcast-forward enable' is applicable only for broadcast traffic within a network segment that needs to be forwarded out through another interface on FortiGate (different broadcast domain). For example, to allow the broadcast traffic destined to the subnet's broadcast IP 10.10.79.255/24.

config system interface

    edit "internal3"

        set ip 10.10.79.1 255.255.255.0

        set broadcast-forward enable

    next

 

The article Forwarding IP broadcast to a different network is an example use case of the broadcast-forward option. 
455
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.