FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
candawi
Staff
Staff
Article Id 389014
Description This article describes what to process if the VIP is configured for filtering a specific source interface on FortiGate and is getting denied by a forward policy check.
Scope FortiGate.
Solution

This feature was introduced in FortiOS version 7.0.

 

Refer to Technical Tip: Virtual IP VIP port forwarding configuration to review the VIP configuration.

If  'Denied by forward policy check (policy 0)' appears in debug flow, even when a firewall policy has already been created for this respective traffic, check via CLI if there is a 'srcintf-filter' configured under 'config firewall vip' for the respective VIP entry.

 

Sample:

 

config firewall vip

edit "vip_1"

set extip 10.255.200.19

set mappedip "192.168.200.19"

set extintf "wan1"

set srcintf-filter "port1"

next

end

 

The sample above shows that the interface configured for 'set extintf' and 'set srcintf-filter' are not the same.

As mentioned in Technical Tip: Firewall VIP-difference in 'srcintf-filter' and 'extintf', in most deployments, srcintf-filter should be the same as extintf if a specific extintf was chosen.  When extintf is 'any', srcintf-filter can be used to restrict interfaces that will be checked for Destination NAT using the Virtual IP. 

 

To resolve this issue, execute the 'unset srcintf-filter' command or make sure that the interface configured in 'set srcintf-filter' is the same as the interface configured in 'set extintf'.

For the sample above, either execute 'unset srcintf-filter' or 'set srcintf-filter "wan1"' for the VIP entry.

 

After the change, check if traffic is now passing through. If there is still an issue, contact Fortinet TAC support

 

Related articles:

Troubleshooting Tip: VIP configured for allowing a specific service is getting denied by a forward p...

Technical Tip: Limiting VIP access from specific sources