Description | This article describes what to process if the VIP is configured for filtering a specific source interface on FortiGate and is getting denied by a forward policy check. |
Scope | FortiGate. |
Solution |
This feature was introduced in FortiOS version 7.0.
Refer to Technical Tip: Virtual IP VIP port forwarding configuration to review the VIP configuration. If 'Denied by forward policy check (policy 0)' appears in debug flow, even when a firewall policy has already been created for this respective traffic, check via CLI if there is a 'srcintf-filter' configured under 'config firewall vip' for the respective VIP entry.
Sample:
config firewall vip edit "vip_1" set extip 10.255.200.19 set mappedip "192.168.200.19" set extintf "wan1" set srcintf-filter "port1" next end
The sample above shows that the interface configured for 'set extintf' and 'set srcintf-filter' are not the same. As mentioned in Technical Tip: Firewall VIP-difference in 'srcintf-filter' and 'extintf', in most deployments, srcintf-filter should be the same as extintf if a specific extintf was chosen. When extintf is 'any', srcintf-filter can be used to restrict interfaces that will be checked for Destination NAT using the Virtual IP.
To resolve this issue, execute the 'unset srcintf-filter' command or make sure that the interface configured in 'set srcintf-filter' is the same as the interface configured in 'set extintf'. For the sample above, either execute 'unset srcintf-filter' or 'set srcintf-filter "wan1"' for the VIP entry.
After the change, check if traffic is now passing through. If there is still an issue, contact Fortinet TAC support.
Related articles: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.