Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luca1994
New Contributor III

Created on ‎10-12-2023 08:04 AM

Wrong Policy match

Hello team,

 

I have a problem with matching a policy.

The policy in question is:

policy.png

the policy logs (one is an example of a correct match and the 'other of a wrong match)

log.png

I can't figure out why they don't both match the same policy.

Thanks for the support

Labels:
1559
0 Kudos
1 Solution
bpozdena_FTNT
Staff
Staff

Created on ‎10-13-2023 12:57 AM

Hi@luca1994 ,

You should exempt DNS traffic from the captive portal. Requiring authentication for DNS traffic will cause the clients to be unable to resolve domain names, which is needed in order to trigger the captive portal login page.  

HTH,
Boris

View solution in original post

1493
0 Kudos
5 REPLIES 5
dbu
Staff
Staff

Created on ‎10-12-2023 08:34 AM

HI @luca1994 , 
I see two differences on the provided logs : 

-Allowed traffic is doing SNAT

-Blocked traffic shows Denied by Thread

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1543
luca1994
New Contributor III
In response to dbu

Created on ‎10-12-2023 08:44 AM

Hi @dbu ,

 

yes but why in your opinion ?

I would have expected it to pass correctly and not "Denied bt Thread"

 

Thanks for the support

BR

1538
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎10-12-2023 09:11 AM

Hi,

The only explanation i can see here, is that the user in question on the right side, isnt part of that group defined in the policy.

Whereas on the left side, no user was identified in the traffic so it was allowed.

"jack of all trades, master of none"
"jack of all trades, master of none"
1528
0 Kudos
luca1994
New Contributor III
In response to funkylicious

Created on ‎10-13-2023 12:22 AM

Hi @funkylicious , thanks for the response.

The user in question on the right side is a guest user, infact in the section "guest management" is correctly present. Then there are a one guest group configured as follows:

 

guest group.png

 

And this group is in the policy. Any other suggestion for me?

 

Thansk for the support

BR

1502
0 Kudos
bpozdena_FTNT
Staff
Staff

Created on ‎10-13-2023 12:57 AM

Hi@luca1994 ,

You should exempt DNS traffic from the captive portal. Requiring authentication for DNS traffic will cause the clients to be unable to resolve domain names, which is needed in order to trigger the captive portal login page.  

HTH,
Boris
1494
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.