Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
avalle_FTNT
Staff
Staff

Created on ‎01-02-2017 04:33 PM

Article Id 198415

Troubleshooting Tip: Traffic dropped when firewall policy is permitting traffic

Description
When a firewall policy is configured to permit specific traffic, it may be seen that sometimes communication cannot be completed.

When troubleshooting connection problems, the following type of debug flow commands can appear, matching firewall policy configured but dropping traffic.

Example:

Policy 12, Action “Accept”
id=20085 trace_id=20 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 192.168.1.10:53131->201.146.13.2:22) from internal. flag [S], seq 2985426820, ack 0, win 8192"
id=20085 trace_id=20 func=init_ip_session_common line=4631 msg="allocate a new session-00bc3835"
id=20085 trace_id=20 func=iprope_dnat_check line=4633 msg="in-[internal], out-[]"
id=20085 trace_id=20 func=iprope_dnat_tree_check line=835 msg="len=0"
id=20085 trace_id=20 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=20 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-170.166.13.1 via wan1"
id=20085 trace_id=20 func=iprope_fwd_check line=630 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-0"
id=20085 trace_id=20 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=34"
id=20085 trace_id=20 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-18, ret-no-match, act-accept"
id=20085 trace_id=20 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-13, ret-no-match, act-accept"
id=20085 trace_id=20 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-12, ret-matched, act-accept"
id=20085 trace_id=20 func=__iprope_user_identity_check line=1668 msg="ret-matched"
id=20085 trace_id=20 func=__iprope_check_one_policy line=2014 msg="policy-12 is matched, act-drop"
id=20085 trace_id=20 func=iprope_fwd_auth_check line=682 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-12"
id=20085 trace_id=20 func=fw_forward_handler line=561 msg="Denied by forward policy check (policy 12)"

Solution
Check if the firewall policy is configured to use ippool (one-to-one), IP used is not being configured in other ippool or same ippool used in other policies.

Related Articles

Troubleshooting Tip : debug flow messages "iprope_in_check() check failed, drop" - "Denied by forwar...

Labels:
18210
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.