Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
simonz_FTNT
Staff
Staff

Created on ‎04-03-2019 03:01 AM Edited on ‎01-10-2024 02:49 AM By Moderator

Article Id 197609

Troubleshooting Tip: Debug flow show - policy is not active

Description
This article describes the case when the traffic is dropped and run debug flow with enabled iprope which then displays a message 'policy-<n> is not active'. The message is seen as follows:

 

id=20085 trace_id=25 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet (proto=6, 10.56.240.95:64166->10.56.240.74:25) from port1. flag [S], seq 3216323471, ack 0, win 8192"

id=20085 trace_id=25 func=init_ip_session_common line=5544 msg="allocate a new session=00000493"
id=20085 trace_id=25 func=iprope_dnat_check line=4942 msg="in-[port1], out-[]"
id=20085 trace_id=25 func=iprope_dnat_tree_check line=816 msg="len=1"
id=20085 trace_id=25 func=_iprope_check_one_dnat_policy line=4816 msg="checking gnum-100000 policy-1"
id=20085 trace_id=25 func=get_new_addr line=1140 msg="find DNAT: IP-10.181.0.65, port-25"
id=20085 trace_id=25 func=_iprope_check_one_dnat_policy line=4898 msg="matched policy-1, act=accept, vip, flag=100, sflag=2000000"
id=20085 trace_id=25 func=iprope_dnat_check line=4955 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=25 func=fw_pre_route_handler line=102 msg="VIP-10.181.0.65:25, outdev-port1"
id=20085 trace_id=25 func=_ip_session_run_tuple line=3291 msg="DNAT 10.56.240.74:25-10.181.0.65:25"
id=20085 trace_id=25 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-10.181.0.65 via port2"
id=20085 trace_id=25 func=iprope_fwd_check line=726 msg="in-[port1], out-[port2], skb_flags-020000c0, vid-1,app_id: 0, url_cat_id: 0"
id=20085 trace_id=25 func=_iprope_tree_check line=548 msg="gnum-100004, use addr/intf_hash, len=2"
id=20085 trace_id=25 func=_iprope_check_one_policy line=2214 msg="gnum-100004 policy-1 is not active"
id=20085 trace_id=25 func=_iprope_check_one_policy line=1806 msg="ret-matched"
id=20085 trace_id=25 func=_iprope_user_identity_check line=1806 msg="ret-matched"
id=20085 trace_id=25 func=_iprope_check_one_policy line=2209 msg="policy-0 is matched, act-drop"
id=20085 trace_id=25 func=iprope_fwd_auth_check line=781 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=25 func=fw_forward_handler line=599 msg="Denied by forward policy check (policy 0)"


Solution

 

The firewall policy is active as follows:

 

JeanPhilippe_P_0-1704883636160.png

 

The reason for the iprope message is because of the schedule does not match the day which causes the policy become inactive.

Check the default schedule to ensure it is not modified and apply back the correct setting if being altered.

 


From the CLI:

Correct the schedule set to the firewall policy to 'always' or the correct one.

 

config firewall policy

    edit 1

        set schedule always

    next

end

 

Tip: It is possible to modify the days under the 'always' category, hence make sure that all the days are added in the 'always' object.

 

config firewall schedule recurring
    edit "always"
        set day sunday monday tuesday wednesday thursday friday saturday
    next
end

Labels:
3041
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.