hello
i have a only one subnet that don't much with any ipv4 policy, when i check the router loockup i find the route to this subnet but when i use loockup policy to this subnet they much with poiciy id=0 knowing that i have policy from my vlan to wan with source set to any and destination set to any and all service are accepted
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
comon,It's not a bug in the fortigate it not fortios or hardware issue.,
If you'e hitting policy 0 and you think you have a policy that should have match and it DID not, than your policy creation is flawed , or incorrect, typeo, wrong interface(s), wrong address, wrong service ...pick one but your policy is NOT being matched and a reason exist as to why.
The diag debug flow output kinda of tells you where your next step(s) are. Your screenshot attachment clearly tells you you have no match also.
You need to do some more work and correct the reason as to why the "the policy that you 'wrote' " is not working. It's really that simple.
Ken Felix
PCNSE
NSE
StrongSwan
Re-check and double check the network address and netmask on the interfaces involved. Even with a matching route (again: check address and mask) and a plain open policy a connection might fail.
You can debug that by using "diag debug flow" but my experience is that if you already know it's hitting policy 0 it will not give you any additional info.
Ede nalied it but yoru answer is in your screenhot. It sounds like the wrong interface pairs are not being matched.
Here's a trick I've been doing now for 14+ years. If you believe the src-dst-address and service is correct, change the policy src/dst-interfaces to "all" and test. If the traffic matches that changed policy, you know the interfaces are wrong.
e.g
config firewall policy edit 2 set name "school out" set uuid ba78edf0-79ec-51ea-75d7-3e1d831dc294 set srcintf "lan" set dstintf "wan1" set srcaddr "LAN" set dstaddr "all" set action accept set schedule "always" set service "DNS" "FTP" "HTTP" "HTTPS" "IMAPS" "NTP" "PING" "POP3S" "SMTP" "SMTPS" "FTP_GET" "FTP_PUT" "SSH" "SYSLOG" "TRACEROUTE" "VNC" set nat enable next
now I made it simpler by eliminating the interface from the policy
config firewall policy edit 2 set srcintf "any" set dstintf "any" set srcaddr "LAN" set dstaddr "all" set action accept set schedule "always" set service "DNS" "FTP" "HTTP" "HTTPS" "IMAPS" "NTP" "PING" "POP3S" "SMTP" "SMTPS" "FTP_GET" "FTP_PUT" "SSH" "SYSLOG" "TRACEROUTE" "VNC" set nat enable next end
Ken Felix
PCNSE
NSE
StrongSwan
thank you for all but i try to use any interface in destination , all services but they don't work, and i already execute the diag debug flow but without any solution, i think that i need to restart the policy but i don't know how!!
i thnik this a bug inside fortigate.
comon,It's not a bug in the fortigate it not fortios or hardware issue.,
If you'e hitting policy 0 and you think you have a policy that should have match and it DID not, than your policy creation is flawed , or incorrect, typeo, wrong interface(s), wrong address, wrong service ...pick one but your policy is NOT being matched and a reason exist as to why.
The diag debug flow output kinda of tells you where your next step(s) are. Your screenshot attachment clearly tells you you have no match also.
You need to do some more work and correct the reason as to why the "the policy that you 'wrote' " is not working. It's really that simple.
Ken Felix
PCNSE
NSE
StrongSwan
I've got some policies that are hitting 0 or are hitting a policy lower in the ACL. I don't get this so I'm searching for possible reasons why ANY ANY is not matching - Seen this before, simply moving the policy down the ACL will fix it, but why? This i believe could be a bug of sorts OR I'm not understanding how interface "any" interacts with security policies.
I should add that some traffic matches policy id 132 but not everything... not by a long shot
EDIT: PS: Just accidentally hijacked this post. Apologies. Will re-post elsewhere as new thread
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.