Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" Denied by forward policy check"
Has anybody run in this before. I' ve actually got a policy in place and it shows an increase in " count" but I can' t get traffic to pass. I' ve looked at the KB article related to it and still can' t figure out why traffic is denied. The logs slow policy 0 which is the implicit deny rule.
id=36871 trace_id=1204 func=resolve_ip_tuple_fast line=3769 msg=" vd-root received a packet(proto=6, 172.16.50.231:53040->74.125.224.85:443) from ssl.root." t."
id=36871 trace_id=1204 func=resolve_ip_tuple line=3909 msg=" allocate a new session-000b12e0"
id=36871 trace_id=1204 func=vf_ip4_route_input line=1591 msg=" find a route: gw-74.125.224.85 via ssl.root"
id=36871 trace_id=1204 func=fw_forward_handler line=430 msg=" Denied by forward policy check"
-TJ
-TJ
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check below:
http://support.fortinet.com/forum/tm.asp?m=91501&p=1&tmode=1&smode=1
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
already did that and still now go. Like I said, I have a policy so the article doesn' t help. I even deleted it and re-created it and that didn' t help.
Looks like I' ll create a ticket with Fortinet.
-TJ
-TJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your being dropped via one of 2 two reason;
fwpolicy
or
lack of static route for ssl.
try to add a static entry for the SSL_VPN pool members
;
edit 5
set device " ssl.root"
set distance 100
set dst x.x.x.x 255.255.255.255
next
And re-test
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks emnoc! It was the route. I had the route 0.0.0.0/0.0.0.0 to the ssl.root and once I created a route for the IP' s I' m using for the tunnel, everything started working.
-TJ
-TJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool.... been brunt myself numerous times by that :)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan