Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luca1994
New Contributor III

Wrong Policy match

Hello team,

 

I have a problem with matching a policy.

The policy in question is:

policy.png

the policy logs (one is an example of a correct match and the 'other of a wrong match)

log.png

I can't figure out why they don't both match the same policy.

Thanks for the support

1 Solution
bpozdena_FTNT

Hi@luca1994 ,

You should exempt DNS traffic from the captive portal. Requiring authentication for DNS traffic will cause the clients to be unable to resolve domain names, which is needed in order to trigger the captive portal login page.  

HTH,
Boris

View solution in original post

5 REPLIES 5
dbu
Staff
Staff

HI @luca1994 , 
I see two differences on the provided logs : 

-Allowed traffic is doing SNAT

-Blocked traffic shows Denied by Thread

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
luca1994
New Contributor III

Hi @dbu ,

 

yes but why in your opinion ?

I would have expected it to pass correctly and not "Denied bt Thread"

 

Thanks for the support

BR

funkylicious
SuperUser
SuperUser

Hi,

The only explanation i can see here, is that the user in question on the right side, isnt part of that group defined in the policy.

Whereas on the left side, no user was identified in the traffic so it was allowed.

---------------------------
geek
---------------------------
---------------------------geek---------------------------
luca1994

Hi @funkylicious , thanks for the response.

The user in question on the right side is a guest user, infact in the section "guest management" is correctly present. Then there are a one guest group configured as follows:

 

guest group.png

 

And this group is in the policy. Any other suggestion for me?

 

Thansk for the support

BR

bpozdena_FTNT

Hi@luca1994 ,

You should exempt DNS traffic from the captive portal. Requiring authentication for DNS traffic will cause the clients to be unable to resolve domain names, which is needed in order to trigger the captive portal login page.  

HTH,
Boris
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors