Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
MAQ
Staff
Staff

Created on ‎11-11-2025 10:37 PM Edited on ‎11-11-2025 10:37 PM By Community Manager

Article Id 418263

Troubleshooting Tip: FortiProxy Policy with Schedule 'none' Causes Traffic to Not Be Processed

Description

This article describes a behavior where FortiProxy receives traffic on the ingress interface, but it does not get passed to the egress interface.
Scope

FortiProxy v7.0.x,  v7.2.x, v7.4.x, v7.6.x.
Solution

A policy with a schedule set to 'none' is functionally equivalent to a disabled one. However, when a combination of both schedule 'none' and webfilter-profile exists in any other policy, FortiProxy fails to generate iptables rules, resulting in traffic not passing through and not matching to a policy.

 

The solution for this is to not use schedule 'none' in any policy, or disable policies using schedule 'none'. This issue will be resolved in FortiProxy v7.4.12 and FortiProxy v7.6.5

 

Example:

FPX policy.png

 

Traffic generated from the test machine arrives at the FortiProxy, but does not pass through:

LAB-FortiProxy # diagnose sniffer packet any "host 35.180.176.177" 4 0 l

interfaces=[any]

filters=[host 35.180.176.177]

2025-11-06 16:49:32.166501 port3 in 802.1Q vlan#63 P0 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:49:32.166508 Proxy_In in 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:49:36.778463 port3 in 802.1Q vlan#63 P0 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:49:36.778469 Proxy_In in 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:49:41.778470 port3 in 802.1Q vlan#63 P0 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:49:41.778480 Proxy_In in 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:49:46.767988 port3 in 802.1Q vlan#63 P0 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:49:46.768005 Proxy_In in 10.101.3.37 -> 35.180.176.177: icmp: echo request

 

While the issue is happening, refreshing the iptables generates an error:

 

LAB-FortiProxy # diagnose iptables refresh

iptables-restore v1.6.1: Couldn't find match `time-j'

Error occurred at line: 4384

Try `iptables-restore -h' or 'iptables-restore --help' for more information.

 

Once the schedule is changed from 'none' to anything else, issue the command 'diagnose iptables refresh' to force a refresh or wait for the iptables to refresh, which might take a while:

 

LAB-FortiProxy # diagnose iptables refresh

LAB-FortiProxy #

 

Verify that traffic is passing through the FortiProxy as expected:

LAB-FortiProxy # diag sniffer packet any "host 35.180.176.177" 4 0 l

interfaces=[any]

filters=[host 35.180.176.177]

2025-11-06 16:58:07.993359 port3 in 802.1Q vlan#63 P0 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:07.993376 Proxy_In in 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:07.993517 Proxy_Out out 192.168.170.10 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:08.007551 port3 in 802.1Q vlan#587 P0 35.180.176.177 -> 192.168.170.10: icmp: echo reply

2025-11-06 16:58:08.007557 Proxy_Out in 35.180.176.177 -> 192.168.170.10: icmp: echo reply

2025-11-06 16:58:08.007601 Proxy_In out 35.180.176.177 -> 10.101.3.37: icmp: echo reply

2025-11-06 16:58:09.005110 port3 in 802.1Q vlan#63 P0 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:09.005126 Proxy_In in 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:09.005258 Proxy_Out out 192.168.170.10 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:09.019228 port3 in 802.1Q vlan#587 P0 35.180.176.177 -> 192.168.170.10: icmp: echo reply

2025-11-06 16:58:09.019233 Proxy_Out in 35.180.176.177 -> 192.168.170.10: icmp: echo reply

2025-11-06 16:58:09.019267 Proxy_In out 35.180.176.177 -> 10.101.3.37: icmp: echo reply

2025-11-06 16:58:10.020334 port3 in 802.1Q vlan#63 P0 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:10.020350 Proxy_In in 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:10.020462 Proxy_Out out 192.168.170.10 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:10.034532 port3 in 802.1Q vlan#587 P0 35.180.176.177 -> 192.168.170.10: icmp: echo reply

2025-11-06 16:58:10.034537 Proxy_Out in 35.180.176.177 -> 192.168.170.10: icmp: echo reply

2025-11-06 16:58:10.034580 Proxy_In out 35.180.176.177 -> 10.101.3.37: icmp: echo reply

2025-11-06 16:58:11.036876 port3 in 802.1Q vlan#63 P0 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:11.036880 Proxy_In in 10.101.3.37 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:11.036914 Proxy_Out out 192.168.170.10 -> 35.180.176.177: icmp: echo request

2025-11-06 16:58:11.050821 port3 in 802.1Q vlan#587 P0 35.180.176.177 -> 192.168.170.10: icmp: echo reply

2025-11-06 16:58:11.050835 Proxy_Out in 35.180.176.177 -> 192.168.170.10: icmp: echo reply

2025-11-06 16:58:11.050943 Proxy_In out 35.180.176.177 -> 10.101.3.37: icmp: echo reply
24
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.