Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pxiannie
New Contributor III

Fortigate Denied by forward policy check (policy 0) problem

I did set my service to ALL in firewall policy, but why still show problem "Denied by forward policy check (policy 0)" ? It show DNS resolved fail when I try to access to local system using SSL VPN.


Screenshot 2024-02-05 155943.png

My Firewall Policy
edit 1
set name "LAN-to-SDWAN"
set srcintf "lan"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "Clone of certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set voip-profile "default"
set nat enable

edit 4
set name "SSL VPN > LAN Access"
set srcintf "ssl.root"
set dstintf "lan"
set action accept
set srcaddr "SSL-VPN_Address"
set dstaddr "Local_LAN"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "Clone of certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set voip-profile "default"
set groups "Employees"
next

FortiGate FortiClient 



4 REPLIES 4
smaruvala
Staff
Staff

Hi, 

 

From the debug it looks like the DNS communication is to 8.8.4.4 IP address and incoming interface is SSL VPN interface. From the 2 rules which is shared does not look like it matches both of them. Is there any rule which allows the communication from SSL VPN interface to ppp2 interface as per the debug?

 

Regards,

Shiva

pxiannie
New Contributor III

Hi,

I got another 3 policy but I think it does not related? Is there any thing I left?

edit 2
set name "vpn_IPSEC_STU-NDC_local"
set srcintf "lan"
set dstintf "IPSEC_STU-NDC"
set action accept
set srcaddr "IPSEC_STU-NDC_local"
set dstaddr "IPSEC_STU-NDC_remote"
set schedule "always"
set service "ALL"
set nat enable
set comments "IPSEC_STU-NDC"
next
edit 3
set name "vpn_IPSEC_STU-NDC_remote"
set srcintf "IPSEC_STU-NDC"
set dstintf "lan"
set action accept
set srcaddr "IPSEC_STU-NDC_remote"
set dstaddr "IPSEC_STU-NDC_local"
set schedule "always"
set service "ALL"
set nat enable
set comments "IPSEC_STU-NDC"
next

edit 7
set status disable
set name "lan > ssl vpn"
set srcintf "lan"
set dstintf "ssl.root"
set action accept
set srcaddr "all"
set dstaddr "SSL-VPN_Address"
set schedule "always"
set service "ALL"
next

pxiannie
New Contributor III

I create a policy to comminute from ssl vpn to my virtual wan link which is ppp2. And now it didnt show the  Denied by forward policy check (policy 0) problem but stil not able to ping my server ip in command prompt. TAT
Screenshot 2024-02-05 165621.png

smaruvala

Hi, 

 

1. Please check what IP the DNS is resolving the FQDN to. Make sure the IP it resolve is the correct one.

2. Check if you have correct route in the firewall for the destination IP or the server IP address. 

3. Check if you have the correct Security Policy to allow the communication from correct incoming interface to outgoing interface. 

4. You can check the traffic log and see if traffic is going correctly or not. Make sure the logging is enabled in the policy for this. Do check the send bytes and received bytes value.

 

Regards,

Shiva

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors