We help IT Professionals succeed at work.

Fortigate Debug

AXISHK
AXISHK asked
on
I find that a ping can't be passed through from one zone to another. Turn on the Fortigate debug and report the followings:

2017-12-29 18:30:34 id=20085 trace_id=9 func=init_ip_session_common line=5519 msg="allocate a new session-00025aa1"
2017-12-29 18:30:34 id=20085 trace_id=9 func=vf_ip_route_input_common line=2583 msg="find a route: flag=04000000 gw-192.168.2.25 via lan"
2017-12-29 18:30:34 id=20085 trace_id=9 func=fw_forward_handler line=586 msg="Denied by forward policy check (policy 0)"

"Denied by forward policy check (policy 0)" - Do can I check which policy 0 in Forgiate it is referring to ?


Thx
Comment
Watch Question

Hi,
did you upgrade firmware lately ? Does TCP work ? Is it only ICMP not passing through ?

If so, then you should check the following command:
show firewall service custom ALL

If it does not output "IP" you may have encountered a fortinet bug, which luckily is very easy to fix:

The fix is to navigate to Policy & Objects > Objects > Services > ALL and change Protocol Number to 0 (zero)

here is a very helpful link:
https://forum.fortinet.com/tm.aspx?m=119542

hope this helps
max