Hello team,
Anyone encountered denied traffic log on a firewall policy with "allow" action.
The policy has not utm profiles and the denied traffic is matching all policy criteria!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is your policy hitting the implicit deny policy? You mention that in the title but don't state if that's what is happing. Your traffic must not be matching your allow policy for a ton of possible reasons.
Hi Adam.
The traffic is not hitting on the implicit deny.
It is hitting the allow policy but the log action is deny.
What is the reason for the deny? Can you post a redacted copy of the log message?
That sounds like the IP is getting quarantined. Check the status with diag user quarantine list or diag user banned-ip list (version-dependent).
This would typically be quarantine triggered by DoS, IPS, or DLP. If you find the IP banned, review your DoS/IPS/etc. configurations.
No IPS applied or Dos policies configured.
The user is not quarantined and they have other traffic running.
Can you check if there is a route change? take one instance of allow and deny logs and compare the destination interfaces.
No routing changes. Same dst interface , and traffic is hitting on the same security policy.
The session IDs are different, that probably means the fortigate session was cleared when these new packets came. The last entry with accept action was 20 hours ago, I don't think the session will be kept idle for so long.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.