@fl0at0xff,

The deny you had selected in the image was showing TCP 8013.  That's normally v5.4.1 FortiClient registration, which should only be going to the FortiGate (or EMS server).  

Is it only wifi clients running FortiClient that are getting denied?  

Is the SSID set up as a tunnel instead of a bridge?

If so, have you enabled FortiTelemetry for the SSID interface?

If not, that could be your problem.

If you do have FortiTelemetry enabled for the wifi tunnel, have you set up a separate wifi-tunnel to wan rule?

I'm going off my configuration of a FortiGate with FortiAP so it may or may not match your experience.

Hello @tanr and thank you for your answer.

My problem is present with devices connected via Wifi and directly with the cable. I don't think that the problem is related to wireless. I have exactly the same problem with à fortigate 60D

For information, Any of my client uses Forticlient in this installation. It's really a out-of-the box problem. As I said before, I just the simple configuration showed in my initial post.

By the way, I don't have a lot of experience using FortiWifi. I checked tunnel mode for my wifi. It is a good idea or not ? I just use the two antenna of the fortiwifi not external AP. What is fortiTelemetry ?

thanks.

garibaldi.sebastian@arlei.com wrote:

I have the same problema with FG200D and FG60D using 5.4.1. It's blocking Google-Web and this device (Android phone) can't download an app from Google Play. If I connect it to 4G network it download ok.

@fl0at0xff,

I'm not sure what you meant by "Any of my client uses FortiClient".  Instead of "Any" did you mean "All", "None", or "Some"?  If it was "None", then FortiClient issues aren't the problem.  But if not, and the logs you list are showing up with FortiClients, then turning on FortiTelemetry under "Administrative Access" for the LAN interfaces would allow the FortiClients to register with the FortiGate.  FortiTelemetry is just the new term for FortiClient communication, and its done with TCP/2013, which is what your logs show getting blocked.  That's why I was wondering about FortiClients.  BTW, you definitely DON'T want FortiTelemetry turned on for your wan interfaces.

If you're not using a separate AP then I'm not sure that tunnel mode would really be needed.  Normally tunnel mode (vs bridged mode) for a separate AP's SSIDs forces the traffic through a tunnel to the FortiGate so that security rules can be applied.  With a FortiWiFi you're already at the FortiGate, but I don't know if that means security rules get applied or not for a bridged WiFi interface, especially if the WiFi interface is a member of the internal switch.

You said your LAN_2_WAN security policy has logging set to "All Sessions" and you're logging to memory.

Have you tried "Send Logs to FortiCloud" instead?

Posting your lan interface config and the the LAN_2_WAN security policy would probably help narrow this down.

Or just open a ticket with support.

Hello guys. Did you solved the problem?

I have a same issue. I want to RDP to a server  from the client. I have a rule, which allows this connection. When I try to connect to the server, it doesn't happen. In the log I see, the connection matched the ALLOW rule but the result is "Deny: IP connection error". I debugged the flow and saw, the server responded to the client's SYN request. I run wireshark on the client, but it didn't received the SYN packet from the server. The client has Antivirus turned off. We have FG100D with FortiOS 5.4.3.

I'm seeing the same exact behavior on a brand new Fortigate 100E running 5.4.4, installed less than 2 weeks ago.  It has a pretty basic config and everything is working, except I can't anything out of the logs other than Deny: IP connection error for everything.

Does anyone have any other ideas that may help this issue?

Log severity is left at warning.

config log mem filter set severity information end

Thank you TuncayBAS.  This was my problem.  I change the log severity to information and it seems have corrected the problem.