|
This feature was introduced in FortiOS version 7.0.
Refer to Technical Tip: Virtual IP VIP port forwarding configuration to review the VIP configuration.
If 'Denied by forward policy check (policy 0)' appears in debug flow, even when a firewall policy has already been created for this respective traffic, check via CLI if there is a 'srcintf-filter' configured under 'config firewall vip' for the respective VIP entry.
Sample:
config firewall vip
edit "vip_1"
set extip 10.255.200.19
set mappedip "192.168.200.19"
set extintf "wan1"
set srcintf-filter "port1"
next
end
The sample above shows that the interface configured for 'set extintf' and 'set srcintf-filter' are not the same.
As mentioned in Technical Tip: Firewall VIP-difference in 'srcintf-filter' and 'extintf', in most deployments, srcintf-filter should be the same as extintf if a specific extintf was chosen. When extintf is 'any', srcintf-filter can be used to restrict interfaces that will be checked for Destination NAT using the Virtual IP.
To resolve this issue, execute the 'unset srcintf-filter' command or make sure that the interface configured in 'set srcintf-filter' is the same as the interface configured in 'set extintf'.
For the sample above, either execute 'unset srcintf-filter' or 'set srcintf-filter "wan1"' for the VIP entry.
After the change, check if traffic is now passing through. If there is still an issue, contact Fortinet TAC support.
Related articles:
Troubleshooting Tip: VIP configured for allowing a specific service is getting denied by a forward p...
Technical Tip: Limiting VIP access from specific sources
|
