This feature was introduced in FortiOS version 7.0.

Refer to Technical Tip: Virtual IP VIP port forwarding configuration to review the VIP configuration.

If  'Denied by forward policy check (policy 0)' appears in debug flow, even when a firewall policy has already been created for this respective traffic, check via CLI if there is a 'srcintf-filter' configured under 'config firewall vip' for the respective VIP entry.

Sample:

config firewall vip

edit "vip_1"

set extip 10.255.200.19

set mappedip "192.168.200.19"

set extintf "wan1"

set srcintf-filter "port1"

next

end

The sample above shows that the interface configured for 'set extintf' and 'set srcintf-filter' are not the same.

As mentioned in Technical Tip: Firewall VIP-difference in 'srcintf-filter' and 'extintf', in most deployments, srcintf-filter should be the same as extintf if a specific extintf was chosen.  When extintf is 'any', srcintf-filter can be used to restrict interfaces that will be checked for Destination NAT using the Virtual IP. 

To resolve this issue, execute the 'unset srcintf-filter' command or make sure that the interface configured in 'set srcintf-filter' is the same as the interface configured in 'set extintf'.

For the sample above, either execute 'unset srcintf-filter' or 'set srcintf-filter "wan1"' for the VIP entry.

After the change, check if traffic is now passing through. If there is still an issue, contact Fortinet TAC support. 

Related articles:

Troubleshooting Tip: VIP configured for allowing a specific service is getting denied by a forward p...

Technical Tip: Limiting VIP access from specific sources