- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Denied traffic on non utm non implicit policy
Hello team,
Anyone encountered denied traffic log on a firewall policy with "allow" action.
The policy has not utm profiles and the denied traffic is matching all policy criteria!
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your policy hitting the implicit deny policy? You mention that in the title but don't state if that's what is happing. Your traffic must not be matching your allow policy for a ton of possible reasons.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Adam.
The traffic is not hitting on the implicit deny.
It is hitting the allow policy but the log action is deny.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the reason for the deny? Can you post a redacted copy of the log message?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That sounds like the IP is getting quarantined. Check the status with diag user quarantine list or diag user banned-ip list (version-dependent).
This would typically be quarantine triggered by DoS, IPS, or DLP. If you find the IP banned, review your DoS/IPS/etc. configurations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No IPS applied or Dos policies configured.
The user is not quarantined and they have other traffic running.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you check if there is a route change? take one instance of allow and deny logs and compare the destination interfaces.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No routing changes. Same dst interface , and traffic is hitting on the same security policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The session IDs are different, that probably means the fortigate session was cleared when these new packets came. The last entry with accept action was 20 hours ago, I don't think the session will be kept idle for so long.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.