Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Internal Zone to External Zone policy not applying
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internal Zone to External Zone policy not applying
Hi,
I've had an issue with a 200F v7.2.8
We have an issue where policies for VLANs attached to a port that is part of a Zone labelled DMZ are not applied when using the Zone in the firewall policy.
for example
Port 2 has multiple separate VLANs that are various DMZ networks.
Port 2 is assigned to the DMZ Zone
One such DMZ VLAN is a quarantine DMZ (for testing suspicious USBs etc)
Port 24 is our main internet connection assigned to the WAN zone
If I create a rule From DMZ Zone to WAN Zone with source set to the IP Range used on the quarantine DMZ destination all, service all
I see no traffic hit that rule and logs show traffic from the IP of the device being blocked.
Even if I use a DMZ Zone interface source all to WAN destination all I still get not policy hits.
If I modify the rule so that the incoming interface is the Quarantine VLAN instead of the DMZ zone then the policy works.
I've worked around this by using the VLANs for the rules but I would like to consolidate our rules to start tidying this up by using zones.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use policy lookup tool on the firewall policy page and check if it is matching with the intended firewall policy when zones are used.
Run the debug
di de flow filter addr <dst ip>
di de flow show function-name en
di de flow trace start 50
di de en
Initiate ping or other test traffic to this destination and share the debug output
Amritpal Singh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Debug output as below
id=65308 trace_id=4 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.66.6.7:1->104.21.6.6:2048) tun_id=0.0.0.0 from QuarantineDMZ. type=8, code=0, id=1, seq=60."
id=65308 trace_id=4 func=init_ip_session_common line=6009 msg="allocate a new session-14775074, tun_id=0.0.0.0"
id=65308 trace_id=4 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-203.54.189.241 via port24"
id=65308 trace_id=4 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=14, len=3"
id=65308 trace_id=4 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=5 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.66.6.7:1->104.21.6.6:2048) tun_id=0.0.0.0 from QuarantineDMZ. type=8, code=0, id=1, seq=61."
id=65308 trace_id=5 func=init_ip_session_common line=6009 msg="allocate a new session-1477532f, tun_id=0.0.0.0"
id=65308 trace_id=5 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-203.54.189.241 via port24"
id=65308 trace_id=5 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=14, len=3"
id=65308 trace_id=5 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=6 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.66.6.7:1->104.21.6.6:2048) tun_id=0.0.0.0 from QuarantineDMZ. type=8, code=0, id=1, seq=62."
id=65308 trace_id=6 func=init_ip_session_common line=6009 msg="allocate a new session-147754c3, tun_id=0.0.0.0"
id=65308 trace_id=6 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-203.54.189.241 via port24"
id=65308 trace_id=6 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=14, len=3"
id=65308 trace_id=6 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy that it should be using below
config firewall policy
edit 60
set name "Quarantine Allow out - All"
set uuid ea703fd6-c6d3-51ed-d8ad-31effd795561
set srcintf "DMZ"
set dstintf "WAN"
set action accept
set srcaddr "QuarantineDMZ address"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set logtraffic all
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As per the debugs traffic is leaving out via port24 , find a route: flag=04000000 gw-203.54.189.241 via port24"
which is a part of the wan zone so ideally it should match with policy 60.
For testing, remove all the utm profiles from the policy 60, check the source address and its subnet, check the schedule ‘Always’ object also verify the services ‘ALL set asic offload disable and run the debugs again
config firewall policy
edit 60
set auto-asic-offload disable
end
end
Amritpal Singh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changed policy - see below
edit 60
set name "Quarantine Allow out - All"
set uuid ea703fd6-c6d3-51ed-d8ad-31effd795561
set srcintf "DMZ"
set dstintf "WAN"
set action accept
set srcaddr "QuarantineDMZ address"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set logtraffic all
set auto-asic-offload disable
Same debug
See below
id=65308 trace_id=16 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.66.6.7:1->104.21.6.6:2048) tun_id=0.0.0.0 from QuarantineDMZ. type=8, code=0, id=1, seq=72."
id=65308 trace_id=16 func=init_ip_session_common line=6009 msg="allocate a new session-14790f04, tun_id=0.0.0.0"
id=65308 trace_id=16 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-203.54.189.241 via port24"
id=65308 trace_id=16 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=14, len=3"
id=65308 trace_id=16 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=17 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.66.6.7:1->104.21.6.6:2048) tun_id=0.0.0.0 from QuarantineDMZ. type=8, code=0, id=1, seq=73."
id=65308 trace_id=17 func=init_ip_session_common line=6009 msg="allocate a new session-14791029, tun_id=0.0.0.0"
id=65308 trace_id=17 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-203.54.189.241 via port24"
id=65308 trace_id=17 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=14, len=3"
id=65308 trace_id=17 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=18 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.66.6.7:1->104.21.6.6:2048) tun_id=0.0.0.0 from QuarantineDMZ. type=8, code=0, id=1, seq=74."
id=65308 trace_id=18 func=init_ip_session_common line=6009 msg="allocate a new session-1479127b, tun_id=0.0.0.0"
id=65308 trace_id=18 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-203.54.189.241 via port24"
id=65308 trace_id=18 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=14, len=3"
id=65308 trace_id=18 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=19 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.66.6.7:1->104.21.6.6:2048) tun_id=0.0.0.0 from QuarantineDMZ. type=8, code=0, id=1, seq=75."
id=65308 trace_id=19 func=init_ip_session_common line=6009 msg="allocate a new session-14791487, tun_id=0.0.0.0"
id=65308 trace_id=19 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-203.54.189.241 via port24"
id=65308 trace_id=19 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=14, len=3"
id=65308 trace_id=19 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=20 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.66.6.7:1->104.21.6.6:2048) tun_id=0.0.0.0 from QuarantineDMZ. type=8, code=0, id=1, seq=76."
id=65308 trace_id=20 func=init_ip_session_common line=6009 msg="allocate a new session-147915a9, tun_id=0.0.0.0"
id=65308 trace_id=20 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-203.54.189.241 via port24"
id=65308 trace_id=20 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=14, len=3"
id=65308 trace_id=20 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=21 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.66.6.7:1->104.21.6.6:2048) tun_id=0.0.0.0 from QuarantineDMZ. type=8, code=0, id=1, seq=77."
id=65308 trace_id=21 func=init_ip_session_common line=6009 msg="allocate a new session-14791774, tun_id=0.0.0.0"
id=65308 trace_id=21 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-203.54.189.241 via port24"
id=65308 trace_id=21 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=14, len=3"
id=65308 trace_id=21 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
Given it is getting "Denied by forward policy check (policy 0)" it would appear it is not hitting policy 60 and is hitting the Implicit Deny. Correct?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is hitting implicit deny policy. I recommended opening a TAC case , It is not an expectedly behaviour. I am suspecting some OS level issue. If possible try rebooting the device.
Amritpal Singh
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Issues with IPsec VPN and RTSP... 233 Views
- Moving SSL VPN DHCP to external... 148 Views
- Forti vm strange request 473 Views
- Can Fortigate establish TCP connection like... 1038 Views
- FortiManager, VIP, Dynamic Address 162 Views
Labels
-
FortiGate
8,465 -
FortiClient
1,713 -
5.2
801 -
FortiManager
712 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
457 -
FortiSwitch
456 -
6.0
416 -
FortiClient EMS
407 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
220 -
FortiWeb
199 -
5.0
196 -
IPsec
186 -
FortiNAC
176 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
70 -
4.0MR3
64 -
FortiProxy
59 -
FortiADC
53 -
Fortivoice
52 -
High Availability
52 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
44 -
FortiSandbox
43 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
38 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1660 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.