Fortigate Denied by forward policy check (policy 0) problem

pxiannie · ‎02-04-2024

I did set my service to ALL in firewall policy, but why still show problem "Denied by forward policy check (policy 0)" ? It show DNS resolved fail when I try to access to local system using SSL VPN.

Screenshot 2024-02-05 155943.png

My Firewall Policy
edit 1
set name "LAN-to-SDWAN"
set srcintf "lan"
set dstintf "virtual-wan-link"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "Clone of certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set voip-profile "default"
set nat enable

edit 4
set name "SSL VPN > LAN Access"
set srcintf "ssl.root"
set dstintf "lan"
set action accept
set srcaddr "SSL-VPN_Address"
set dstaddr "Local_LAN"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "Clone of certificate-inspection"
set av-profile "default"
set webfilter-profile "default"
set dnsfilter-profile "default"
set ips-sensor "default"
set application-list "default"
set voip-profile "default"
set groups "Employees"
next

FortiGate FortiClient

smaruvala · ‎02-05-2024

Hi,

From the debug it looks like the DNS communication is to 8.8.4.4 IP address and incoming interface is SSL VPN interface. From the 2 rules which is shared does not look like it matches both of them. Is there any rule which allows the communication from SSL VPN interface to ppp2 interface as per the debug?

Regards,

Shiva

pxiannie · ‎02-05-2024

Hi,

I got another 3 policy but I think it does not related? Is there any thing I left?

edit 2
set name "vpn_IPSEC_STU-NDC_local"
set srcintf "lan"
set dstintf "IPSEC_STU-NDC"
set action accept
set srcaddr "IPSEC_STU-NDC_local"
set dstaddr "IPSEC_STU-NDC_remote"
set schedule "always"
set service "ALL"
set nat enable
set comments "IPSEC_STU-NDC"
next
edit 3
set name "vpn_IPSEC_STU-NDC_remote"
set srcintf "IPSEC_STU-NDC"
set dstintf "lan"
set action accept
set srcaddr "IPSEC_STU-NDC_remote"
set dstaddr "IPSEC_STU-NDC_local"
set schedule "always"
set service "ALL"
set nat enable
set comments "IPSEC_STU-NDC"
next

edit 7
set status disable
set name "lan > ssl vpn"
set srcintf "lan"
set dstintf "ssl.root"
set action accept
set srcaddr "all"
set dstaddr "SSL-VPN_Address"
set schedule "always"
set service "ALL"
next

pxiannie · ‎02-05-2024

I create a policy to comminute from ssl vpn to my virtual wan link which is ppp2. And now it didnt show the Denied by forward policy check (policy 0) problem but stil not able to ping my server ip in command prompt. TAT
Screenshot 2024-02-05 165621.png

smaruvala · ‎02-05-2024

Hi,

1. Please check what IP the DNS is resolving the FQDN to. Make sure the IP it resolve is the correct one.

2. Check if you have correct route in the firewall for the destination IP or the server IP address.

3. Check if you have the correct Security Policy to allow the communication from correct incoming interface to outgoing interface.

4. You can check the traffic log and see if traffic is going correctly or not. Make sure the logging is enabled in the policy for this. Do check the send bytes and received bytes value.

Regards,

Shiva