Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Elena_Madrigal
New Contributor

DENIED by forward policy check (policy 0)

Hello Team

 

I have two sub-interfaces one connected  oneto a Wifi Network 10.15.242.X ,and other in a wired network 10.38.X.X I have made an specific rule to permit the traficc to do a ping between networks.

And not match in any rule and the traffic is denied by the implicit rule all the time ...

I have made a Sniffer and a trace in the forti ( see images attached) ,and i see in the tcpdump how the trafffic reach the default gateway in the fortigate 10.15.242.1. but not the PC conected in the IP 10.15.242.2 allways denied by policy 0

 

I have a Fortigate 1500D With firmware 5.4.4 Version

 

Any suggestion ? i am going crazy ..

 

6 REPLIES 6
ede_pfau
Esteemed Contributor III

Can you please supply the config of the interfaces involved (conf sys int)?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

What we really need is the fwpolicy, Your screenshost conflicts with the interfaces names

 

 

MSSI-INT2  vrs INT_USER

 

Did you happen to  typo the wrong interface_name ? Also on the  diag sniffer  packet, a suggetsion

 

1: specify the interface name 

2: use the  4   value to double check  ALL interface 

 

e.g

 

diag sniffer packet  MSSI-INT2 " host 10.15.242.2 and icmp" 4

 

That would be better than "ANY" and you can look at the traffic from srcintf or dstintf .

 

So double firewall-policy and than routing.

 

just a tip ;)

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Elena_Madrigal

I think the problem is de routing between VDOMs, the network 10.15.242.X is in the VDOM-Wifi and the 10.38.23.X is a network in the VDOM-Root

When a execute a ping from de VDOM wifi to the gateway 10.15.242.1 i can reach susccessfully. becasue is direcctly conected, but when i execute  a ping to 10.15.242.2 is when the ping fails.

However in both cases i can see the traffifc in the Diagnose  sniffer packet ...

neonbit

Do you have a policy from FWI-WIFI to MSSSI-INT2?

Elena_Madrigal

Yes  of course, I have two rules permit all trafic

One  FWI-WIFI ----> MSSSI-INT and the second one between MSSSi-INT to FWI-WIFI

This is have checked,  the only way to reach the destination is enabling NAT.  But i dont want to enable it .

MikePruett

Yeah, a sanitized copy of your config would do wonders in us helping with the troubleshooting.

Mike Pruett Fortinet GURU | Fortinet Training Videos
Labels
Top Kudoed Authors