Skip to Content

How to fix policy lookup matches the implicit deny policy due to IP pool

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes that the outgoing traffic is blocked by the implicit deny policy even if a valid firewall policy is in place.

Scope

FortiOS 7.2.6+, 7.4.1+.

Solution

Source IP: 10.11.15.2, Interface: port2.

Destination IP: 8.8.8.8, Interface: port1.

Router 1

Router 2

Lookup

Policy

Atlantis-kvm57 # did=65308 trace_id=9 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=1, 10.11.15.2:1->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=12."
id=65308 trace_id=9 func=init_ip_session_common line=6043 msg="allocate a new session-3ad1b7aa, tun_id=0.0.0.0"
id=65308 trace_id=9 func=__vf_ip_route_input_rcu line=2001 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=9 func=fw_local_in_handler line=615 msg="iprope_in_check() check failed on policy 0, drop"

This can happen if an IP pool is assigned to the destination IP and arp reply is enabled.

Solution: Delete the IP pool or disable the ARP reply.

Reason: After FortiOS 7.2.6+ and 7.4.1+ if ARP reply is enabled, IP pool and VIPs are considered local IPs.

Also, it is worth noting that IP pools are used to SNAT the traffic, so it is incorrect to assign an IP pool to the destination IP.

Also, it is worth noting that IP pools are used to SNAT the traffic, so it is incorrect to assign an IP pool to the destination IP.

After disabling the ARP reply or deleting the IP pool:

id=65308 trace_id=13 func=print_pkt_detail line=5857 msg="vd-root:0 received a packet(proto=1, 10.11.15.2:1->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=16."
id=65308 trace_id=13 func=init_ip_session_common line=6043 msg="allocate a new session-3ad21d8a, tun_id=0.0.0.0"
id=65308 trace_id=13 func=__vf_ip_route_input_rcu line=2001 msg="find a route: flag=00000000 gw-10.9.15.254 via port1"
id=65308 trace_id=13 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=35, len=3"
id=65308 trace_id=13 func=get_new_addr line=1239 msg="find SNAT: IP-10.9.10.57(from IPPOOL), port-60418"
id=65308 trace_id=13 func=fw_forward_handler line=1000 msg="Allowed by Policy-12: SNAT"
id=65308 trace_id=13 func=ip_session_confirm_final line=3090 msg="npu_state=0x1100, hook=4"
id=65308 trace_id=13 func=ids_receive line=430 msg="send to ips"
id=65308 trace_id=13 func=__ip_session_run_tuple line=3432 msg="SNAT 10.11.15.2->10.9.10.57:60418