Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎01-22-2010 05:40 AM Edited on ‎11-26-2024 12:16 AM By Moderator

Article Id 190119

Troubleshooting Tip: Debug flow messages 'iprope_in_check() check failed, drop' - 'Denied by forward policy check' - 'reverse path check fail, drop'

Description

 

This article describes how to fix errors that occur when obtaining a debug flow for connectivity issues.

 

Scope

 

FortiGate.

 

Solution


When troubleshooting connectivity problems to or through a FortiGate with the 'diagnose debug flow' commands, the following messages may appear:

 

  • 'iprope_in_check() check failed, drop'.
  • 'Denied by forward policy check'.
  • 'reverse path check fail, drop'.


See the following article for more details about troubleshooting with the 'diagnose debug flow' command:
Troubleshooting Tip: First steps to troubleshoot connectivity problems through a FortiGate with snif...

 

Possible root causes for 'iprope_in_check() check failed, drop'.

 

  1. When accessing the FortiGate for remote management (ping, telnet, ssh...), the service that is being accessed is not enabled on the interface.


Screenshot 2023-11-21 153737.png

 

Screenshot 2023-11-21 153951.png
For example: Pinging or telnet the DMZ interface FortiGate of a FortiGate, IP address 10.50.50.2, where ping and telnet are not enabled.

id=36870 pri=emergency trace_id=1 msg="vd-root received a packet(proto=1,10.50.50.1:4608->10.50.50.2:8) from dmz."
id=36870 pri=emergency trace_id=1 msg="allocate a new session-0000d5ad"
id=36870 pri=emergency trace_id=1 msg="iprope_in_check() check failed, drop"
id=36870 pri=emergency trace_id=8 msg="vd-root received a packet(proto=6, 10.50.50.1:1160->10.50.50.2:23) from dmz."
id=36870 pri=emergency trace_id=8 msg="allocate a new session-0000d96a"
id=36870 pri=emergency trace_id=8 msg="iprope_in_check() check failed, drop"

 

  1. When accessing the FortiGate for remote management (ping, telnet, ssh...), the service that is being accessed is enabled on the interface but there are trusted hosts configured that do not match the source IP of the incoming packets.

    Example: Pinging the DMZ interface of a FortiGate of IP address 10.50.50.2 from source IP 10.50.50.1 with trusted hosts configured as follows:


    FGT # show system admin admin
        config system admin
            edit "admin"
                set trusthost1 10.20.20.0 255.255.255.0
    [...]

    id=36870 pri=emergency trace_id=26 msg="vd-root received a packet(proto=1, 10.50.50.1:5632->10.50.50.2:8) from dmz."
    id=36870 pri=emergency trace_id=26 msg="allocate a new session-0000da15"
    id=36870 pri=emergency trace_id=26 msg="iprope_in_check() check failed, drop"

     

  2. When accessing a FortiGate interface for remote management (ping, telnet, ssh...) through another interface of this same FortiGate, no firewall policy is present. Example: pinging wan2 at the IP address 10.70.70.1 through DMZ, but there is no firewall policy from DMZ to wan2.

     

  3. Make sure that the remote management is through the customs port, the customs port should be added to the service, the firewall policy should have the service added. 

     
     

    ss1.png

    SS2.png

 

SS3.png

 

id=36870 pri=emergency trace_id=756 msg="vd-root received a packet(proto=1, 10.50.50.1:11264->10.70.70.1:8) from dmz."
id=36870 pri=emergency trace_id=756 msg="allocate a new session-00000220"
id=36870 pri=emergency trace_id=756 msg="iprope_in_check() check failed, drop"

 

If, after validating everything is configured correctly, the 'iprope_in_check() check failed, drop,' error still appears; use the command below to force it to refresh.

 

diagnose firewall iprope flush

 

Disclaimer:

This command is meant to be hidden in the FortiOS CLI, not to be executed when troubleshooting forward traffic (traffic through the FortiGate), only for local traffic (traffic travel from/to the FortiGate). Executing this will cause downtime, therefore use this command as the very last resort.

 

  1. The issue might also be due to the local-in policy which it is possible to verify using show full firewall local-in-policy.

 

Screenshot 2023-11-21 154548.png

 

  1. A VIP parameter must be set as detailed in the Configuration Example: Using VIP (Virtual IP) for Port Translation only.

  2. An improper error can also be thrown if the default admin ports for SSH or HTTPS/HTTP are modified to custom ports and the admin is trying to access on a different port other than the configured custom port.

     

    config system global

        set admin-sport 443   

        set admin-port 80

        set admin-ssh-port 22

    end

The above values shown are the default. Cross-verify whether an attempt is being made to access the correct port.

 

  1. If it is using the interface IP address as the gateway in a policy route (by mistake), FortiGate will try to send it to the gateway IP (which belongs to the FortiGate root VDOM). This will trigger an 'iprope_in_check() check failed, drop' message. Also, If the gateway is set to 0.0.0.0, the FortiGate will look for a route via the same interface in the routing table. In other words, it gives preference to the Interface.

  2. Iprope Check Failure can be observed due to Geo-Location restrictions on SSL VPN settings. When trying SSL VPN from a country not included in the Geo restriction on SSL VPN setting FortiGate, the connection will not be successful. This is because the connection is being attempted from a different region than the one being allowed, and the debug flow will show the 'iprope_in_check() check failed on policy 0, drop' message.

    See this article for more information.

Root causes for 'Denied by forward policy check'.

 
  1. There is no firewall policy matching the traffic that needs to be routed or forwarded by the FortiGate (traffic will hit the Implicit Deny rule).
  2. The traffic matches a DENY firewall policy.
  3. The traffic matches an ALLOW firewall policy, but a DISCLAIMER is enabled. Consequently, traffic will not be accepted unless the end user accepts the HTTP disclaimer proposed by FortiGate while browsing an external site. This is usually encountered on IOT devices that are unable to select the disclaimer 'Yes, I agree' option, causing all access to be denied.


For example (messages are similar for both root causes):

 

id=36870 pri=emergency trace_id=19 msg="vd-root received a packet(proto=1, 10.50.50.1:7680->10.60.60.1:8) from dmz."
id=36870 pri=emergency trace_id=19 msg="allocate a new session-0000007d"
id=36870 pri=emergency trace_id=19 msg="Denied by forward policy check"

 

The root cause for 'reverse path check fail, drop'.

 

This is detailed in the related KB article at the end of this page: 'Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing'.

Related articles:

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...

FortiGate log information : traffic log with firewall policy of 0 (zero) "policyid=0"

Technical Tip: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing

Labels:
169754
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.