FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anderson_yee
Staff
Staff
Article Id 308471
Description This article describes the troubleshooting steps when 'Policy is not active' is showing on the FortiOS debug flow
Scope FortiGate.
Solution

Sample debug flow output when the issue is happening:


Screenshot 2024-04-05 104918.png


Policy 2 status is enabled however the desired traffic does not match the expected policy and is dropped by the implicit deny policy:


policy.png


Note:

'Policy is not active' error logs are typically associated with Schedule misconfiguration under firewall policy.

 

By default, recurring profile 'always' is set to 'all days'(all days of the week) and all day(all time of the day).

 

1c.PNG

 



In this case, under Policy & Objects -> Schedules, the applied recurring schedule under policy 2 ('always') is misconfigured as no days are checked.


schedule.png


The issue should be resolved if the schedule applied to the firewall policy is properly configured. In this case, check all the days under the 'always' recurring schedule for the policy to be effective.

 

schedule2.png

 

After the change, the 'policy is not active' error no longer appears in the debug flow. It is possible to verify that the traffic matches policy 2 as expected.


debug flow.png

 

If there is a set specific time of the day, make sure it matches the expected time for the policy to work based on the set time zone in the FortiGate setting.