This article describes why incoming traffic to the FortiGate does not match the expected firewall policy configured.
For some setups, Port forwarding may use a different port on the external port which is different from the actual port of the server.
Example setup:
[Internal Server]10.149.3.240:443—————————[FortiGate]10.47.1.37:55555————————–Internet.
- Internal server with TCP port 443 or HTTPS service opened.
- FortiGate is listening on the public-facing interface for TCP port 55555 to port forward to the actual server.
On the Firewall Policy, the configuration shows that the ‘Service’ field has been specified to use TCP port 55555 and allow the traffic to the Virtual IP configured.
But when trying to access the external IP address using TCP port 55555, it does not match the Firewall Policy as expected.
It will show ‘Denied by forward policy check(policy 0)’ which indicates that it is not matching any firewall policy.
Scope
FortiGate.
Solution
To allow the traffic, the service needed on the Firewall Policy should be the port connecting to the server (HTTPS/TCP port 443).
In this example, the FortiGate is listening to TCP port 55555 and the actual server is listening to TCP port 443 (or HTTPS).
To understand this behavior on FortiOS:
- The traffic to the FortiGate on external IP using TCP port 55555 will be accepted by the Virtual IP created(DNAT/VIP).
- And the traffic to the actual server will be accepted by the Firewall Policy with the specified service configured (allowed by Policy-x).
The debug flow will then show it matches the expected policy after changing the service from TCP port 55555 to HTTPS/TCP port 443.
