Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wotik
New Contributor III

Blocking connection by Implicit Deny

Hello

 

Probably a stupid question, but can anyone tell me why this connection is being blocked by the Implict Deny firewall rule? In the firewall rules, I have created allowing rules for DNS, HTTPS and some traffic goes through, and some like the one below to Google does not...

 

date="2023-02-16" time="14:42:13" id=7200748607182471170 bid=4486763 dvid=1043 itime=1676554933 euid=3 epid=1030 dsteuid=3 dstepid=101 logflag=103 logver=702041396 type= "traffic" subtype="forward" level="notice" action="deny" policyid=0 sessionid=898077 srcip="192.168.X.ABC" dstip="142.250.203.193" srcport=54554 dstport=443 trandisp="noop " duration=0 proto=17 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid="0000000013" srcname="TEST1" service="Google-Web" app="Google-Web" appcat="unscanned" srcintfrole= "lan" dsstintfrole="wan" srcserver=0 policytype="policy" eventtime=1676554933387308699 crscore=30 craction=131072 crlevel="high" srcmac="AAAAAA" mastersrcmac="AAAAAA" srchwvendor="HP" srcswversion="10" osname="Windows" srccountry="Reserved" dstcountry="Poland" srcintf="internal" dstintf="wan2" dstinetsvc="Google-Web" dstowner="google.com" threatwgts="{30}" threatcnts="{ 1}" threatlvls="{3}" threats="{blocked-connection}" threattyps="{blocked-connection}" tz="+0100" dstregion="Masovian" dst city="Warsaw" dstreputation=4 devid="FGTXXXXXXXX" vd="root" devname="XXXXX"

Best Regards,
Wojtek
Best Regards,Wojtek
3 REPLIES 3
lol
Staff
Staff

Hello,

 

The packet does not match any existing firewall policy and therefore matches the implicit deny rule action="deny" policyid=0.

Likely your existing firewall rules are not matching for the src/dst and ports seen in the log entry.

 

 

It is very unlikely this issue could be resolved through the forums without knowing your policy framework.

It's recommended to open a support ticket with technical support to have this further investigated so you can share your config for review.

 

The first steps here would be to collect a debug flow and check the config file.

 

Regards,

wotik
New Contributor III

Hello,

Ok, I thought so.

I created a support ticket ..

Best Regards,
Wojtek
Best Regards,Wojtek
gfleming
Staff
Staff

Can you show us the policy that you have defined that should match internal->WAN traffic ?

Cheers,
Graham
Labels
Top Kudoed Authors