Description
Sometime traffic are denied at FortiGate by hitting to the policy id-0 instead of hitting the respected configured ipv4 policy due to several issues.
One of the most observed strange behavior is due to the modification of the default objects like:
- Address object, Schedule or Service.
When the packet drop happens at FortiGate confirm that by taking the debug flow logs with the specific test source and destination host ip in the filter along with the TCP/UDP port number.
Enable debug-flow logging and generate some test traffic to capture the logs.
Then while verifying the logs it will show that the packet is dropped by hitting to the implicit policy id-0.
But there is a matching ipv4 policy configured on Foritgate to allow the traffic and till the traffic is hitting to the deny policy which is strange.
Verify the configured policy which is supposed to allow the traffic sometime show that the 'Service' is set to 'ALL' but it is modified the firewall admin with some specific or range of port.
As the 'Service-ALL' is not configured to allow 'ALL' ports in it the traffic is getting blocked by hitting to deny policy id-0 if the traffic port is different that the mentioned in 'ALL'.
The same behavior is observed when the other default object like:
-All Schedules & Addresses are modified by the FortiGate Admin.
Find the snapshot below to find how a default:
- 'ALL' objects look like:
Solution
Sometime traffic are denied at FortiGate by hitting to the policy id-0 instead of hitting the respected configured ipv4 policy due to several issues.
One of the most observed strange behavior is due to the modification of the default objects like:
- Address object, Schedule or Service.
When the packet drop happens at FortiGate confirm that by taking the debug flow logs with the specific test source and destination host ip in the filter along with the TCP/UDP port number.
Enable debug-flow logging and generate some test traffic to capture the logs.
Then while verifying the logs it will show that the packet is dropped by hitting to the implicit policy id-0.
But there is a matching ipv4 policy configured on Foritgate to allow the traffic and till the traffic is hitting to the deny policy which is strange.
Verify the configured policy which is supposed to allow the traffic sometime show that the 'Service' is set to 'ALL' but it is modified the firewall admin with some specific or range of port.
As the 'Service-ALL' is not configured to allow 'ALL' ports in it the traffic is getting blocked by hitting to deny policy id-0 if the traffic port is different that the mentioned in 'ALL'.
The same behavior is observed when the other default object like:
-All Schedules & Addresses are modified by the FortiGate Admin.
Find the snapshot below to find how a default:
- 'ALL' objects look like:
Default Service: ALL
Default Schedule: always
Default Address Object: all
Solution
Default Schedule: always.Default Address Object: all.Manually verify the objects:-'ALL' by select 'EDIT' or by verifying the inside configuration and make the change to default or based on the requirement.
