Troubleshooting Tip: Flow filter log message 'Denied by endpoint check'

nithincs · ‎05-08-2020

Description
This article describes a potential root cause for a communication problem through a FortiGate and debug flow message shows 'Denied by endpoint check'.

Solution
Assume the following scenario.

[ 10.5.52.54 ] ------------ wan2 [FGT ] wan1 ------- [ internet ]

The FortiGate has to allow Firewall policies from wan2 to wan1.

Problem: 10.5.52.54 does not able to reach any network through fortigate.

Taking a debug flow shows the following:

# diag debug enable
# diag debug flow show console enable
# diag debug flow filter add 10.5.52.54
# diag debug flow trace start 1000

id=20085 trace_id=36 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=6, 10.5.52.54:52467->142.0.160.17:443) from wan2. flag [S], seq 4096242706, ack 0, win 64240"
id=20085 trace_id=36 func=init_ip_session_common line=5625 msg="allocate a new session-016ee29e"
id=20085 trace_id=36 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.5.31.254 via wan1"
id=20085 trace_id=36 func=fw_forward_handler line=689 msg="Denied by endpoint check"

Verification.

Check source IP is added to banned IP list or quarantined in FortiGate.

# dia user quarantine list
src-ip-addr created expires cause
10.5.52.54 Fri May 1 16:29:18 2020 indefinite Administrative

If source IP is quarantined, remove source IP from quarantine list:

# dia user quarantine delete src4 x.x.x.x <----- Replace x.x.x.x with source IP of PC.

To verify from GUI, Go to Monitor -> Quarantine Monitor ,select source IP and delete the entry.

In 6.4 version, quarantine source address list is shown under Dashboard -> User & Devices -> Quarantine Widget.
Expand the Widget to get the list of quarantine IP’s.