DENY Policy for Virtual IP Firewall Policy

Had and issue, after an upgrade where VIP was not working from internal to external.

On debug trace:
2015-08-19 10:46:56 id=20085 trace_id=91 func=print_pkt_detail line=4420 msg=”vd-client received a packet(proto=1, 192.168.101.5:1->xx.xx.xx.xx:8) from Inside1148. code=8, type=0, id=1, seq=1417.”
2015-08-19 10:46:56 id=20085 trace_id=91 func=init_ip_session_common line=4569 msg=”allocate a new session-003e477a”
2015-08-19 10:46:56 id=20085 trace_id=91 func=iprope_dnat_check line=4633 msg=”in-[Inside1148], out-[]”
2015-08-19 10:46:56 id=20085 trace_id=91 func=iprope_dnat_tree_check line=831 msg=”len=1″
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_dnat_policy line=4522 msg=”checking gnum-100000 policy-7″
2015-08-19 10:46:56 id=20085 trace_id=91 func=get_new_addr line=2763 msg=”find DNAT: IP-192.168.156.52, port-1″
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_dnat_policy line=4590 msg=”matched policy-7, act=accept, vip=7, flag=100, sflag=800000″
2015-08-19 10:46:56 id=20085 trace_id=91 func=iprope_dnat_check line=4646 msg=”result: skb_flags-00800000, vid-7, ret-matched, act-accept, flag-00000100″
2015-08-19 10:46:56 id=20085 trace_id=91 func=fw_pre_route_handler line=176 msg=”VIP-192.168.156.52:1, outdev-Inside1148″
2015-08-19 10:46:56 id=20085 trace_id=91 func=__ip_session_run_tuple line=2564 msg=”DNAT xx.xx.xx.xx:8->192.168.156.52:1″
2015-08-19 10:46:56 id=20085 trace_id=91 func=vf_ip4_route_input line=1596 msg=”find a route: flags=00000000 gw-192.168.156.52 via DMZ155″
2015-08-19 10:46:56 id=20085 trace_id=91 func=iprope_fwd_check line=627 msg=”in-[Inside1148], out-[DMZ155], skb_flags-008000c0, vid-7″
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_tree_check line=536 msg=”gnum-100004, use addr/intf hash, len=19″
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-230, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-234, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-228, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-202, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-217, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-214, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-213, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-207, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-229, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-3, ret-matched, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-10, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-70, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-118, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-141, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-135, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-127, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-187, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-243, ret-no-match, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=1838 msg=”checked gnum-100004 policy-0, ret-matched, act-accept”
2015-08-19 10:46:56 id=20085 trace_id=91 func=__iprope_check_one_policy line=2019 msg=”policy-0 is matched, act-drop”
2015-08-19 10:46:56 id=20085 trace_id=91 func=iprope_fwd_auth_check line=679 msg=”after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0″
2015-08-19 10:46:56 id=20085 trace_id=91 func=fw_forward_handler line=546 msg=”Denied by forward policy check (policy 0)”

Resolved as per:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33338

Had to add “set match-vip enable” to the the outbound policy.

(408)

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.