| Description | This article describes the possibility of network connection issues despite the appropriate firewall policy that has been configured to allow the traffic. |
| Scope | FortiGate. |
| Solution |
In the following scenario, a firewall policy has been configured to allow all traffic from Internal to Public Internet:
However, the users complain that they cannot access the Internet and that the computer host cannot resolve any domain:
The users indicated that pinging to the DNS server is possible:
To further identify the root cause, the following debug commands were run on the FortiGate to check on the traffic flow:
diagnose debug flow filter addr <user_IP> diagnose debug flow show function-name enable diagnose debug flow show iprope enable diagnose debug flow trace start 200 diagnose debug enable
The output from the debug log indicates that the traffic for ping (ICMP) matches Policy 3 and traffic has been processed accordingly:
However, the debug log for DNS traffic indicates that the traffic is being dropped due to an implicit deny policy:
Based on the firewall policy, the respective traffic should be allowed. In this case, it is advised to review the following:
In the above scenario, the protocol options have been changed from 0 to 1, and as a result, only the protocol with option 1 (ICMP) will be allowed. The FortiGate will deny any traffic with other protocol options as it fails to match the firewall policy condition. To resolve this issue, change the protocol number to 0 (ALL):
With the respective changes, the user can resolve the domain name and the debug flow shows that the traffic for the DNS query has been permitted by firewall policy 3:
Refer to the documentation for more details. |
