Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
issame
New Contributor

subnet don't much with any policy

hello

i have a only one subnet that don't much with any ipv4 policy, when i check the router loockup i find the route to this subnet but when i use loockup policy to this subnet they much with poiciy id=0  knowing that i have policy from my vlan to wan with source set to any and destination set to any and all service are accepted

1 Solution
emnoc
Esteemed Contributor III

comon,It's not a bug in the fortigate it not fortios or hardware issue.,

 

If you'e hitting policy 0 and you think you have a policy that should have match and  it DID not, than your policy creation is flawed , or incorrect, typeo, wrong interface(s), wrong  address, wrong service ...pick one but your policy is NOT being matched and a reason exist as to why.

 

The diag debug flow  output kinda of tells you where your next step(s) are. Your screenshot attachment clearly tells you you have no match also.

 

You need to do some more work and correct the reason as to why the "the policy that you  'wrote' " is not working. It's really that simple. 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
5 REPLIES 5
ede_pfau
SuperUser
SuperUser

Re-check and double check the network address and netmask on the interfaces involved. Even with a matching route (again: check address and mask) and a plain open policy a connection might fail.

You can debug that by using "diag debug flow" but my experience is that if you already know it's hitting policy 0 it will not give you any additional info.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

Ede nalied it but yoru answer is in your screenhot. It sounds like the wrong interface pairs are not being matched.

 

Here's a trick I've been doing now for 14+ years. If you believe the src-dst-address and service is correct, change the policy src/dst-interfaces to "all" and test. If the traffic matches that changed policy, you know the interfaces are wrong.

 

e.g

 

 

config firewall policy edit 2 set name "school out" set uuid ba78edf0-79ec-51ea-75d7-3e1d831dc294 set srcintf "lan" set dstintf "wan1" set srcaddr "LAN" set dstaddr "all" set action accept set schedule "always" set service "DNS" "FTP" "HTTP" "HTTPS" "IMAPS" "NTP" "PING" "POP3S" "SMTP" "SMTPS" "FTP_GET" "FTP_PUT" "SSH" "SYSLOG" "TRACEROUTE" "VNC" set nat enable next

 

now I made it simpler by eliminating  the interface from the policy

 

 

config firewall policy edit 2   set srcintf "any" set dstintf "any" set srcaddr "LAN" set dstaddr "all" set action accept set schedule "always" set service "DNS" "FTP" "HTTP" "HTTPS" "IMAPS" "NTP" "PING" "POP3S" "SMTP" "SMTPS" "FTP_GET" "FTP_PUT" "SSH" "SYSLOG" "TRACEROUTE" "VNC" set nat enable next end

 

Ken Felix

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
issame
New Contributor

thank you for all but i try  to use any interface in destination , all services but they don't work, and i already execute the diag debug flow but without any solution, i think that i need to restart the policy but i don't know how!!

i thnik this a bug inside fortigate.

emnoc
Esteemed Contributor III

comon,It's not a bug in the fortigate it not fortios or hardware issue.,

 

If you'e hitting policy 0 and you think you have a policy that should have match and  it DID not, than your policy creation is flawed , or incorrect, typeo, wrong interface(s), wrong  address, wrong service ...pick one but your policy is NOT being matched and a reason exist as to why.

 

The diag debug flow  output kinda of tells you where your next step(s) are. Your screenshot attachment clearly tells you you have no match also.

 

You need to do some more work and correct the reason as to why the "the policy that you  'wrote' " is not working. It's really that simple. 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
fcb

I've got some policies that are hitting 0 or are hitting a policy lower in the ACL. I don't get this so I'm searching for possible reasons why ANY ANY is not matching - Seen this before, simply moving the policy down the ACL will fix it, but why? This i believe could be a bug of sorts OR I'm not understanding how interface "any" interacts with security policies.

 

I should add that some traffic matches policy id 132 but not everything... not by a long shot

EDIT: PS: Just accidentally hijacked this post. Apologies. Will re-post elsewhere as new thread

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors