AWS servers fail to match policy when policy is VPN00xxxx to the external interface

ChrisM589 · ‎03-24-2025

Hi All,

We have a VPN connecting to cloud AWS services. We have created policys to enable traffic from our cloud servers to the internet via our on prem Fortigate.

However the traffic fails to hit the policy we have created and instead hits the implicit deny all.

Not sure what is going on here, we are in the process of migrating our on prem servers to AWS cloud.

I know with AWS we can give them public IPs so they can connect direct to the internet but we want to maintain some control via our firewall.

The only think I can think of is that we are using the same connection (our WAN interface) to connect to AWS and the internet. Although when creating the policies you have the option of interface so we have AWS-VPN to External.

any advice or help appreciated.

regards,

Chris.

sjoshi · ‎03-24-2025

Hi,

You can take a debug flow to understand more detail about policy matching and can also do a policy lookup

https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/38044/using-the-debug-flow-t...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Firewall-policy-lookups/ta-p/192912

Verify the src, dst address used on the policy along with the services allowed.

Let us know if this helps.
Salon Raj Joshi

AWS servers fail to match policy when policy is VPN00xxxx to the external interface

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website