Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
P-vs
Staff
Staff

Created on ‎04-11-2025 02:40 AM Edited on ‎04-29-2025 08:47 AM By Moderator

Article Id 387279

Troubleshooting Tip: No internet access due to a custom schedule

Description This article describes how to handle an issue where there is no internet access due to a custom schedule in the policy.
Scope FortiGate.
Solution

In some scenarios, the user will not have access to the internet post-upgrade or power down due to a change in schedule or the user forgetting about the schedule created for the policy.

 

With custom schedules, the traffic will not match the policy depending upon the schedule set and will give the below output.

 

The troubleshooting will be done with a basic approach for internet access.

 

execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=62 time=2.2 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=62 time=2.2 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=62 time=2.2 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=62 time=2.1 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=62 time=2.2 ms

 

The ping will work, the packets will be received and sent, and the debug will show 'Denied by forward policy check (policy 0)'.

 

diagnose sniffer packet any "host 1.1.1.1 and icmp" 4
interfaces=[any]
filters=[host 1.1.1.1 and icmp]
6.021877 port3 out 125.16.187.232 -> 1.1.1.1: icmp: echo request
6.024076 port3 in 1.1.1.1 -> 125.16.187.232: icmp: echo reply
7.021907 port3 out 125.16.187.232 -> 1.1.1.1: icmp: echo request
7.024132 port3 in 1.1.1.1 -> 125.16.187.232: icmp: echo reply
8.021925 port3 out 125.16.187.232 -> 1.1.1.1: icmp: echo request
8.024168 port3 in 1.1.1.1 -> 125.16.187.232: icmp: echo reply

 

# id=65308 trace_id=63 func=print_pkt_detail line=5870 msg="vd-root:0 received a packet(proto=1, 192.168.100.2:1->1.1.1.1:2048) tun_id=0.0.0.0 from por
t15. type=8, code=0, id=1, seq=650."
id=65308 trace_id=63 func=init_ip_session_common line=6055 msg="allocate a new session-00013360"
id=65308 trace_id=63 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-125.16.187.225 via port3"
id=65308 trace_id=63 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=49, len=3"
id=65308 trace_id=63 func=fw_forward_handler line=837 msg="Denied by forward policy check (policy 0)"

 

It is necessary to verify the policy for the internet, which can be tested by creating a new policy by allowing all services and schedules.

The internet will not always work with the below schedule. 

 

Schedules.jpg

 

The 'always' default schedule to allow traffic 24x7 is also editable, and it has been observed by TAC Engineers multiple times that some administrators change the default configuration of this default schedule, resulting in traffic getting blocked.

The administrator should make sure it is using the default settings if traffic is getting blocked using the 'always' default schedule.

 

Related article:

Technical Tip: Configuring a Schedule Firewall policy expiration
249
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.