Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vincentdekeyzer
New Contributor

Policy not matched

Hello,

 

I have the following policy:

 

config firewall policy     edit 56         set uuid a497a8c0-e751-51e8-a83e-2d7a00d741ce         set srcintf "NOCSWITCH"         set dstintf "Interconnect"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always"         set service "ALL"     next end

 

... and yet I get the following message when trying a policy lookup:

 

Policy lookup matches the implicit deny policy. No explicit policy exists from source interface "NOCSWITCH" to destination interface "Interconnect" as determined by a route lookup to "10.240.0.3"

 

This does not make sense - or am I missing something obvious?...

 

Regards,

 

Vincent

3 REPLIES 3
Dave_Hall
Honored Contributor

What subnet/mask do you have for "NOCSWITCH"?  In the firewall address section, "all" should have no actual value set for it (e.g. defaulting to wildcard 0.0).

 

Edit: Check to see there are no other firewall rules that supersede this rule.  Remember that firewall rules are processed from top-to-bottom.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
vincentdekeyzer

Hi Dave,

 

thanks for your message.

 

"All" indeed is the default 0.0.0.0/0:

 

config firewall address     edit "all"         set uuid bcdc519a-68c7-51e4-3bb3-1ae9963b0092     next end

which includes 10.0.8.11, which is the host from where the dropped traffic comes:

 

config system interface     edit "NOCSWITCH"         set vdom "root"         set ip 10.0.8.1 255.255.255.0         set allowaccess ping https ssh snmp http         set vlanforward enable         set type switch         set role lan         set snmp-index 26     next end

I don't think there is a policy above that supersedes policy, since I get the "Policy lookup matches the implicit deny policy" message. And anyway, there is no other "Deny" policy than the implicit one.

 

Keeps being weird, right?... :(

 

Vincent

vincentdekeyzer
New Contributor

OK, I found my mistake: the loopback interface of the firewall had an incorrect mask (10.240.0.2/31), which made it overlap with the 10.240.0.3 that I was trying to reach from 10.0.8.11, and this clearly (and to some extent understandably) confused the firewall.

 

I corrected the mask and it now works.

Labels
Top Kudoed Authors