Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cheaman
New Contributor II

Policy 0

I' m seeing a fair amount of " Policy 0" with " No Session Matched" in our logs. Some of them are legit blocks, but a lot of them should match a policy and be allowed. What would cause this sort of deny?
Fortigate 1240B FAZ 4000A
Fortigate 1240B FAZ 4000A
22 REPLIES 22
cheaman
New Contributor II

Just to give an update on this: - 4.0 MR3 patch 13 - seems to only be happening with HTTP and HTTPS traffic - I' ve sent my config and some debugs to support and they are looking into the issue. I' ve had them WebEX in and have a look. We' re doing another session tomorrow as they would like some more debugs. I do not think it is asymmetric traffic flow from what I' ve read on it, but I' m not 100% sure. I will update once I speak with support tomorrow.
Fortigate 1240B FAZ 4000A
Fortigate 1240B FAZ 4000A
HA

Hello, I installed a cluster of Fortigate 200B (MR3P15) last friday for a customer. Today, I checked the the log of the FAZ and I noticed a lot of ' session not match' ! The source IP is completely random but it' s always related to HTTP or HTTPS. Asymmetric is not possible in my case. Cheaman, can you please give us some feedback if the support find a solution to this problem ? Regards, HA
HA

Hello, I checked several firewalls of my customers. I can see this kind of traffic (HTTP and HTTPS) for all of them. In the checkpoint log, I can see such kind of drop TCP packet out of state: First packet isn' t SYN tcp_flags: No Flags TCP packet out of state: First packet isn' t SYN tcp_flags: ACK TCP packet out of state: First packet isn' t SYN tcp_flags: FIN-ACK TCP packet out of state: First packet isn' t SYN tcp_flags: PUSH-ACK TCP packet out of state: First packet isn' t SYN tcp_flags: RST-ACK In fortigate log : no session match. I think that the firewall close the TCP session because of the inactivity of the host for such session (not reset is sent by the firewall to the host, session simply times out). So the host think that the session is still alive and send some request into this session...the firewall drops them ! Regards, HA
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors