Firewall Policies created not working

Giovanna · ‎03-22-2025

I did a simple exercise where I connected the two PCs to the physical FortiGate (to port1 and port2). Then I created a rule where I set the incoming traffic to port1 and outgoing traffic to port2 (with all other parameters set to 'all'). I also created another rule to permit the reverse traffic. However, all traffic is being denied due to the implicit deny rule. Does anyone have a suggestion regarding this configuration? I can ping the FortiGate from the PCs. The FortiGate is not registered yet (I did the same configuration in VMware Workstation with the FortiGate running on a VM, and it worked).

AEK · ‎03-22-2025

In the traffic logs, double click on a deny log entry and post a screenshot.

Also please post a screenshot of the related firewall rule.

AEK

Giovanna · ‎03-24-2025

Thank you! Looks like the fortigate need some time to upload the configuration modification, day after, the policies worked. Do you maybe know why this happend? It takes more then 1 hour to take in the new configuration..

AEK · ‎03-25-2025

This is an expected behavior if you keep the session open.

When you change a policy, the effect is immediate on the "new sessions", but any existing open session will continue to work until it is closed bu client or server.

AEK

Giovanna · ‎03-26-2025

Thank you again! I tried to use the command diag sys session clear but still I have the same issue

dingjerry_FTNT · ‎03-26-2025

Hi @Giovanna ,

1) Please provide your firewall policy configuration.

2) Please provide the details about your traffic. For example, are you testing with Ping? What is your source IP? What is your destination IP? What is the destination port (service)?

3) Please provide your routing table on your FGT.

Regards,

Jerry

dingjerry_FTNT · ‎03-26-2025

And you may also use the Debug Flow commands to collect some outputs as well:

https://docs.fortinet.com/document/fortigate/7.6.2/administration-guide/38044/using-the-debug-flow-t...

Regards,

Jerry

dingjerry_FTNT · ‎03-25-2025

Hi @Giovanna ,

If the existing session is TCP based, the default session TTL is 3600 seconds (1 hour).

In this case, you need to clear the existing sessions and test it again.

diag sys session filter src x.x.x.x // x.x.x.x is the IP of the test PC that initiates the traffic

diag sys session filter proto 6

diag sys session clear

Regards,

Jerry

Giovanna · ‎03-26-2025

Thank you very much, I tried to use the command diag sys session clear, but the issue is still present

Giovanna · ‎03-26-2025

policy:

set name "port1_port3"
set uuid
set srcintf "port1"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all

also there is port3_port1 policy (same configuration). When I test the traffic in policy lookup, fortigate notifies that match is with deny all rule. Day after traffic flows, the rule is active. There is a session problem, and diag sys session clear didn't eliminate all the sessions (some local sessions are still active). Thank you very much (to all) for your help!

Firewall Policies created not working

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website