Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NoneEng
New Contributor III

Help With Traffic Hitting Implicit Deny

Hello,

 

I have some traffic hitting Implicit Deny, even tho the Allow Policy seems to be correct:

Logs:

log.png

 

 

 

Rule:

policy.png

Found this: Traffic dropped by 'implicit deny pol... - Fortinet Community, but everything shown is ok here.

This might be relevant: I recently changed my FortiGate from standalone to Fabric Root.

 

Could you please help diagnose this? Thanks in advance.

8 REPLIES 8
AEK
SuperUser
SuperUser

Hi

Try check in quarantine monitor if the spurce IP addresses are not quarantined.

Also check in the above log if the outgoing interface is the right one in the policy.

AEK
AEK
NoneEng
New Contributor III

Hi @AEK!


No quarantined IP or devices.

In the logs the outgoing interface is the right one.

 

One thing I noticed is the blocks happen only with my WLANs.

Created a new Policy "TEMP_TEST", added it on the top with one of them:

top_policy.png

 

Logs:

logs_guests.png

PS: This WLAN has a captive portal and is from a FortiAP. Users just need to accept the terms to login in.

 

I don't have a clue :grinning_face_with_sweat:
Any ideas how to further look into it?

 

AEK

Hi NoneEng

So can you disable the active portal and try again?

AEK
AEK
NoneEng
New Contributor III

Hey @AEK , sorry for my absence.

I would still need to enable other type of security auth:

sett_sec.png

AEK

I mean disable it temporarily just to make sure it is (or it is not) the root cause.

AEK
AEK
rahul_p1
Staff
Staff

Hi,

Please share the debug logs:-

diagnose debug reset
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow filter addr X.X.X.X   -------->>x.x.x.x is your destination IP
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 1000
diagnose debug enable

 

Note:- Run this to stop the debug

diagnose debug disable 

vbandha
Staff
Staff

Hello @NoneEng 

Can you check if there is appropriate SD WAN rule enabled for this?

It is most likely a routing issue, the debug flow mentioned earlier will give more information about what is happening. 

One other thing you could try as a troubleshooting step is to create policy route for this traffic specifically:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-Firewall-Policy-Routes/ta-...

 

Regards,

Varun

 

sahmed_FTNT
Staff
Staff

Hello, you can verify below settings:

-correct source

-service(ports) are allowed

-correct interface

- there is no deny policy at top of allow policy

 

also make sure in policy schedule portion it has correct values

Security all we want
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors