Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anderson_yee
Staff
Staff

Created on ‎04-04-2024 11:54 PM Edited on ‎03-24-2025 11:15 PM By Community Manager

Article Id 308471

Troubleshooting Tip: 'Policy is not active' is showing on the FortiOS debug flow due to 'schedule' misconfiguration.

Description This article describes the troubleshooting steps when 'Policy is not active' is showing on the FortiOS debug flow
Scope FortiGate.
Solution

Sample debug flow output when the issue is happening:


Screenshot 2024-04-05 104918.png


Policy 2 status is enabled however the desired traffic does not match the expected policy and is dropped by the implicit deny policy:


policy.png


Note:

'Policy is not active' error logs are typically associated with Schedule misconfiguration under firewall policy.

 

By default, recurring profile 'always' is set to 'all days'(all days of the week) and all day(all time of the day).

 

1c.PNG

 



In this case, under Policy & Objects -> Schedules, the applied recurring schedule under policy 2 ('always') is misconfigured as no days are checked.


schedule.png


The issue should be resolved if the schedule applied to the firewall policy is properly configured. In this case, check all the days under the 'always' recurring schedule for the policy to be effective.

 

schedule2.png

 

After the change, the 'policy is not active' error no longer appears in the debug flow. It is possible to verify that the traffic matches policy 2 as expected.


debug flow.png

 

If there is a set specific time of the day, make sure it matches the expected time for the policy to work based on the set time zone in the FortiGate setting.

 

For Policy-based NGFW mode:

In policy-based NGFW mode, the schedule option is configurable under 'Security Policies' and if the schedule is misconfigured, flow debug shows the traffic is allowed by the policy which is the 'SSL Inspection & Authentication' policy because the 'SSL Inspection & Authentication' policies does not have schedule or action options; traffic matching the policy is always redirected to the IPS engine.

 

In this case, PME debug is required to the security policy match which is explained in this KB ARTICLE: Technical Tip: Basic command for investigating firewall policy based mode traffic

In PME debug, the entry will be 'static match not passed' and the session will be dropped the with below logs if the schedule is misconfigured:

 

PME[353751/0] policy 438: static match not passed
.
.
PME[353751/0] session was created
PME[353751/0] policies 0 {
}
PME[353751/0] match: app=none url=-1 UNKNOWN
PME[353751/0] [IMPLICIT BLOCK-ALL]
PME[353751/0] [DECISION MADE] DROP_SESSION
PME[353751/0] policy=4294967295 action=5 log_traffic=1 isdb_src/dst=0/0
1117
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.