Created on 04-03-2019 03:01 AM Edited on 01-10-2024 02:49 AM By Jean-Philippe_P
Description
This article describes the case when the traffic is dropped and run debug flow with enabled iprope which then displays a message 'policy-<n> is not active'. The message is seen as follows:
id=20085 trace_id=25 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet (proto=6, 10.56.240.95:64166->10.56.240.74:25) from port1. flag [S], seq 3216323471, ack 0, win 8192"
Solution
The firewall policy is active as follows:
The reason for the iprope message is because of the schedule does not match the day which causes the policy become inactive.
Check the default schedule to ensure it is not modified and apply back the correct setting if being altered.
From the CLI:
Correct the schedule set to the firewall policy to 'always' or the correct one.
config firewall policy
edit 1
set schedule always
next
end
Tip: It is possible to modify the days under the 'always' category, hence make sure that all the days are added in the 'always' object.
config firewall schedule recurring
edit "always"
set day sunday monday tuesday wednesday thursday friday saturday
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.