Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Elena_Madrigal
New Contributor

Created on ‎08-23-2017 09:49 AM

DENIED by forward policy check (policy 0)

Hello Team

 

I have two sub-interfaces one connected  oneto a Wifi Network 10.15.242.X ,and other in a wired network 10.38.X.X I have made an specific rule to permit the traficc to do a ping between networks.

And not match in any rule and the traffic is denied by the implicit rule all the time ...

I have made a Sniffer and a trace in the forti ( see images attached) ,and i see in the tcpdump how the trafffic reach the default gateway in the fortigate 10.15.242.1. but not the PC conected in the IP 10.15.242.2 allways denied by policy 0

 

I have a Fortigate 1500D With firmware 5.4.4 Version

 

Any suggestion ? i am going crazy ..

 

capture.jpg
Preview file
183 KB
16212
0 Kudos
6 REPLIES 6
ede_pfau
SuperUser
SuperUser

Created on ‎08-23-2017 10:58 AM

Can you please supply the config of the interfaces involved (conf sys int)?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
5998
0 Kudos
emnoc
Esteemed Contributor III
In response to ede_pfau

Created on ‎08-23-2017 12:18 PM

What we really need is the fwpolicy, Your screenshost conflicts with the interfaces names

 

 

MSSI-INT2  vrs INT_USER

 

Did you happen to  typo the wrong interface_name ? Also on the  diag sniffer  packet, a suggetsion

 

1: specify the interface name 

2: use the  4   value to double check  ALL interface 

 

e.g

 

diag sniffer packet  MSSI-INT2 " host 10.15.242.2 and icmp" 4

 

That would be better than "ANY" and you can look at the traffic from srcintf or dstintf .

 

So double firewall-policy and than routing.

 

just a tip ;)

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
5998
0 Kudos
Elena_Madrigal
New Contributor
In response to emnoc

Created on ‎08-24-2017 02:14 AM

I think the problem is de routing between VDOMs, the network 10.15.242.X is in the VDOM-Wifi and the 10.38.23.X is a network in the VDOM-Root

When a execute a ping from de VDOM wifi to the gateway 10.15.242.1 i can reach susccessfully. becasue is direcctly conected, but when i execute  a ping to 10.15.242.2 is when the ping fails.

However in both cases i can see the traffifc in the Diagnose  sniffer packet ...

5998
0 Kudos
neonbit
Valued Contributor
In response to Elena_Madrigal

Created on ‎08-24-2017 06:42 AM

Do you have a policy from FWI-WIFI to MSSSI-INT2?

5998
0 Kudos
Elena_Madrigal
New Contributor
In response to neonbit

Created on ‎08-24-2017 07:58 AM

Yes  of course, I have two rules permit all trafic

One  FWI-WIFI ----> MSSSI-INT and the second one between MSSSi-INT to FWI-WIFI

This is have checked,  the only way to reach the destination is enabling NAT.  But i dont want to enable it .

5998
0 Kudos
MikePruett
Valued Contributor
In response to Elena_Madrigal

Created on ‎08-28-2017 10:13 AM

Yeah, a sanitized copy of your config would do wonders in us helping with the troubleshooting.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
5998
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.