Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Akmostafa
New Contributor III

Denied traffic on non utm non implicit policy

Hello team,

Anyone encountered denied traffic log on a firewall policy with "allow" action.

The policy has not utm profiles and the denied traffic is matching all policy criteria!

17 REPLIES 17
adambomb1219
SuperUser
SuperUser

Is your policy hitting the implicit deny policy?  You mention that in the title but don't state if that's what is happing.  Your traffic must not be matching your allow policy for a ton of possible reasons.

Akmostafa

Hi Adam.

The traffic is not hitting on the implicit deny.

It is hitting the allow policy but the log action is deny.

adambomb1219

What is the reason for the deny?  Can you post a redacted copy of the log message?

Akmostafa
New Contributor III

1.png2.png

pminarik

That sounds like the IP is getting quarantined. Check the status with diag user quarantine list or diag user banned-ip list (version-dependent).

 

This would typically be quarantine triggered by DoS, IPS, or DLP. If you find the IP banned, review your DoS/IPS/etc. configurations.

[ corrections always welcome ]
Akmostafa
New Contributor III

No IPS applied or Dos policies configured.

The user is not quarantined and they have other traffic running.

srajeswaran

Can you check if there is a route change? take one instance of allow and deny logs and compare the destination interfaces.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Akmostafa

No routing changes. Same dst interface , and traffic is hitting on the same security policy.

srajeswaran

The session IDs are different, that probably means the fortigate session was cleared when these new packets came. The last entry with accept action was 20 hours ago, I don't think the session will be kept idle for so long.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors