Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Giovanna
New Contributor

Created on ‎03-22-2025 09:11 AM

Firewall Policies created not working

I did a simple exercise where I connected the two PCs to the physical FortiGate (to port1 and port2). Then I created a rule where I set the incoming traffic to port1 and outgoing traffic to port2 (with all other parameters set to 'all'). I also created another rule to permit the reverse traffic. However, all traffic is being denied due to the implicit deny rule. Does anyone have a suggestion regarding this configuration? I can ping the FortiGate from the PCs. The FortiGate is not registered yet (I did the same configuration in VMware Workstation with the FortiGate running on a VM, and it worked).

Labels:
411
0 Kudos
14 REPLIES 14
esalija
Staff
Staff

Created on ‎03-23-2025 03:40 AM

Dear @Giovanna ,

Please run the debug command to check the traffic flow and the firewall policy that is matching:

# diagnose debug disable

# diagnose debug flow filter addr <Source_IP> <Destination_IP> and

# diagnose debug flow show function-name enable

# diag debug flow show iprope enable

# diagnose debug console timestamp enable

# diagnose debug flow trace start 1000

# diagnose debug enable


Best regards,
Erlin

316
Giovanna
New Contributor
In response to esalija

Created on ‎03-24-2025 11:58 PM

Thank you! Debug didn't show any issues, looks like fortigate takes time to load the configuaration modifications, do you mabye know why this happends? It takes more then 1 hour

194
0 Kudos
esalija
Staff
Staff
In response to Giovanna

Created on ‎03-25-2025 08:04 AM

Dear @Giovanna,

Thank you for the reply!

Did you notice the traffic that is flowing into FGT from Sniffer commands?

# diag sniffer packet any "host <Source_IP> and host <Destination_Ip>" 4 0 l

 

Best regards,

Erlin

139
dingjerry_FTNT
Staff
Staff
In response to Giovanna

Created on ‎03-26-2025 10:22 AM Edited on ‎03-26-2025 10:23 AM

Hi @Giovanna ,

 

You need to tell us the details about your traffic:  

 

Ping or HTTP or something else?  

 

Source IP / Destination IP?

 

The outputs of the debug flow.

 

And/or the outputs of the sniffer packets capture.

Regards,

Jerry
31
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎03-26-2025 10:20 AM

Hi Giovana

Jerry and Salija are right, if you share "diag debug flow" output it will help us to help you.

AEK
AEK
33
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.