Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Patterson
Staff
Staff

Created on ‎03-02-2025 05:56 AM

Article Id 379506

Troubleshooting Tip: Traffic denied by forward policy check, iPrope check logs show 'not active'

Description

 

This article describes how to find the cause for traffic getting dropped with the error 'policy-4294967295 is not active'.

 

Scope

 

FortiGate.

 

Solution

 

When traffic is dropped due to a forward policy check fail, collect the flow debug. The iPrope check will show 'gnum-100004 policy-4294967295 is not active'.

 

FGT-400F-Prim # id=65308 trace_id=1 func=print_pkt_detail line=5870 msg="vd-root:0 received a packet(proto=1, 10.64.18.84:6->4.2.2.2:2048) tun_id=0.0.0.0 from port9. type=8, code=0, id=6, seq=0."
id=65308 trace_id=1 func=init_ip_session_common line=6055 msg="allocate a new session-00007a0e"
id=65308 trace_id=1 func=iprope_dnat_check line=5281 msg="in-[port9], out-[]"
id=65308 trace_id=1 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=1 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1991 msg="find a route: flag=00000000 gw-10.5.31.254 via port5"
id=65308 trace_id=1 func=iprope_fwd_check line=768 msg="in-[port9], out-[port5], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=1 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=3, len=3"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2256 msg="gnum-100004 policy-4294967295 is not active"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2256 msg="gnum-100004 policy-100 is not active"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=1 func=__iprope_user_identity_check line=1807 msg="ret-matched"
id=65308 trace_id=1 func=__iprope_check_one_policy line=2251 msg="policy-0 is matched, act-drop"
id=65308 trace_id=1 func=iprope_fwd_check line=805 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=1 func=iprope_fwd_auth_check line=824 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=1 func=fw_forward_handler line=837 msg="Denied by forward policy check (policy 0)"

 

This can be observed when the firewall policy schedule defined is not active on this specific day.

 

As demonstrated below, some days are missing in the schedule.

 

config firewall schedule recurring
    edit "always"
        set day thursday friday
    next
end

 

Labels:
251
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.