Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
MigenaM
Staff
Staff

Created on ‎11-11-2025 02:46 PM

Article Id 418578

Troubleshooting Tip: Traffic blocked if Email filter profile is added on the firewall policy

Description This article describes a scenario where all the traffic hitting a specific policy will be dropped by Implicit Deny Policy ID 0 if email filter profile is enabled on this firewall policy.
Scope FortiGate, Email Filter.
Solution

It is possible that the traffic is dropped by the Implicit Deny Policy ID 0, instead of hitting the firewall policy created for this traffic specifically.

 

The firewall policy will look like seen below:

 

config firewall policy

    edit 1

        set name "Port3_to_internet"

        set uuid f547bc88-af22-51f0-5880-56805a8200a9

        set srcintf "port3"

        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set profile-type group
        set profile-group "Security-Profile-Proxy"
        set logtraffic all
        set nat enable
    next
end

 

The firewall policy is on proxy mode. The Security Profiles are on proxy mode as well, and are part of a profile-group:

 

config firewall profile-group
    edit "Security-Profile-Proxy"
        set av-profile "Proxy-Antivirus"
        set webfilter-profile "Proxy-WebFilter"
        set dnsfilter-profile "Proxy-DNS"
        set emailfilter-profile "Proxy-Email-Filter"
        set ips-sensor "Proxy-IPS"
        set application-list "Proxy-Application"
        set waf-profile "Proxy-WebApplicationFirewall"
    next
end

 

The logs will show as follows:

 

Implicit Deny.png

 

The Log Details will show the traffic denied with Threat 131,072.

 

If the security profile group is removed from the firewall policy, then the traffic will start passing:

 

No security Profiles.png

 

In these cases, what can be done is to eliminate the security profiles one by one and understand which one is causing the drop on the traffic.

 

In this scenario, the security profile that blocks the traffic is the e-mail filter profile:

 

config emailfilter profile

    edit "Proxy-Email-Filter"
        set comment "Malware and phishing URL filtering."
        set feature-set proxy
        set external enable
    next
end

 

As seen on this configuration, the following option is enabled:

 

set external enable

 

By default, this option is disabled. If no email server is configured on the infrastructure, it is recommended to leave it as it is. This option is used to enable or disable external email inspection.

 

As soon as the option is set to the default value (disable), the traffic will be allowed again.
Labels:
157
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.