Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vincentdekeyzer
New Contributor

Created on ‎11-13-2018 07:11 AM

Policy not matched

Hello,

 

I have the following policy:

 

config firewall policy     edit 56         set uuid a497a8c0-e751-51e8-a83e-2d7a00d741ce         set srcintf "NOCSWITCH"         set dstintf "Interconnect"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"     next end

 

... and yet I get the following message when trying a policy lookup:

 

Policy lookup matches the implicit deny policy. No explicit policy exists from source interface "NOCSWITCH" to destination interface "Interconnect" as determined by a route lookup to "10.240.0.3"

 

This does not make sense - or am I missing something obvious?...

 

Regards,

 

Vincent

10149
0 Kudos
3 REPLIES 3
Dave_Hall
Honored Contributor

Created on ‎11-13-2018 08:46 AM

What subnet/mask do you have for "NOCSWITCH"?  In the firewall address section, "all" should have no actual value set for it (e.g. defaulting to wildcard 0.0).

 

Edit: Check to see there are no other firewall rules that supersede this rule.  Remember that firewall rules are processed from top-to-bottom.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
6600
0 Kudos
vincentdekeyzer
New Contributor
In response to Dave_Hall

Created on ‎11-13-2018 12:55 PM

Hi Dave,

 

thanks for your message.

 

"All" indeed is the default 0.0.0.0/0:

 

config firewall address     edit "all"         set uuid bcdc519a-68c7-51e4-3bb3-1ae9963b0092     next end

which includes 10.0.8.11, which is the host from where the dropped traffic comes:

 

config system interface     edit "NOCSWITCH"         set vdom "root"         set ip 10.0.8.1 255.255.255.0         set allowaccess ping https ssh snmp http         set vlanforward enable         set type switch         set role lan         set snmp-index 26     next end

I don't think there is a policy above that supersedes policy, since I get the "Policy lookup matches the implicit deny policy" message. And anyway, there is no other "Deny" policy than the implicit one.

 

Keeps being weird, right?... :(

 

Vincent

6600
0 Kudos
vincentdekeyzer
New Contributor

Created on ‎11-15-2018 05:47 AM

OK, I found my mistake: the loopback interface of the firewall had an incorrect mask (10.240.0.2/31), which made it overlap with the 10.240.0.3 that I was trying to reach from 10.0.8.11, and this clearly (and to some extent understandably) confused the firewall.

 

I corrected the mask and it now works.

6600
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.