Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
NoneEng
New Contributor III

Created on ‎10-10-2024 08:11 AM Edited on ‎10-10-2024 08:16 AM

Help With Traffic Hitting Implicit Deny

Hello,

 

I have some traffic hitting Implicit Deny, even tho the Allow Policy seems to be correct:

Logs:

log.png

 

 

 

Rule:

policy.png

Found this: Traffic dropped by 'implicit deny pol... - Fortinet Community, but everything shown is ok here.

This might be relevant: I recently changed my FortiGate from standalone to Fabric Root.

 

Could you please help diagnose this? Thanks in advance.

Labels:
485
0 Kudos
6 REPLIES 6
AEK
SuperUser
SuperUser

Created on ‎10-10-2024 08:40 AM

Hi

Try check in quarantine monitor if the spurce IP addresses are not quarantined.

Also check in the above log if the outgoing interface is the right one in the policy.

AEK
AEK
462
NoneEng
New Contributor III
In response to AEK

Created on ‎10-11-2024 05:37 AM

Hi @AEK!


No quarantined IP or devices.

In the logs the outgoing interface is the right one.

 

One thing I noticed is the blocks happen only with my WLANs.

Created a new Policy "TEMP_TEST", added it on the top with one of them:

top_policy.png

 

Logs:

logs_guests.png

PS: This WLAN has a captive portal and is from a FortiAP. Users just need to accept the terms to login in.

 

I don't have a clue :grinning_face_with_sweat:
Any ideas how to further look into it?

 

406
0 Kudos
AEK
SuperUser
SuperUser
In response to NoneEng

Created on ‎10-12-2024 02:59 AM

Hi NoneEng

So can you disable the active portal and try again?

AEK
AEK
375
0 Kudos
rahul_p1
Staff
Staff

Created on ‎10-12-2024 03:07 AM

Hi,

Please share the debug logs:-

diagnose debug reset
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow filter addr X.X.X.X   -------->>x.x.x.x is your destination IP
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 1000
diagnose debug enable

 

Note:- Run this to stop the debug

diagnose debug disable 

366
0 Kudos
vbandha
Staff
Staff

Created on ‎10-13-2024 07:38 AM

Hello @NoneEng 

Can you check if there is appropriate SD WAN rule enabled for this?

It is most likely a routing issue, the debug flow mentioned earlier will give more information about what is happening. 

One other thing you could try as a troubleshooting step is to create policy route for this traffic specifically:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-Firewall-Policy-Routes/ta-...

 

Regards,

Varun

 

314
0 Kudos
sahmed_FTNT
Staff
Staff

Created on ‎10-13-2024 01:00 PM

Hello, you can verify below settings:

-correct source

-service(ports) are allowed

-correct interface

- there is no deny policy at top of allow policy

 

also make sure in policy schedule portion it has correct values

Security all we want
290
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.