Website not Accessible. FortiGate Logs had "action=deny policyid=0"
Environment
Content
Public WiFi in DMZ zone not able to access self Public Web Service:
Log:
FortiCloud:
Note: {PUBLIC-IP} is self WAN IP
From "action=deny policyid=0", showing that was because of Last Policy, because of Public WiFi Network isolated:
Finally, solved it by:
Update
- FortiOS 5.2.X
Content
Public WiFi in DMZ zone not able to access self Public Web Service:
Log:
date=2017-05-02 time=16:49:53 devname={FORTIGATE} devid={FORTIGATE-DEVID} logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip={AccessPoint} srcport=54334 srcintf="dmz" dstip={PUBLIC-IP} dstport=91 dstintf="wan2" sessionid=15040014 proto=6 action=deny policyid=0 dstcountry="Hong Kong" srccountry="Reserved" trandisp=dnat tranip={Web-Srv-Server} tranport={WEB-PORT} service="Web-Srv" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high
FortiCloud:
action: deny
source: {AcessPoint}
destination: {PUBLIC-IP}
trandisp: dnat
tranip: {Web-Srv-Server}
tranport: {WEB-PORT}
appcat (application type): unscanned
protocol: 6 #= TCP
Note: {PUBLIC-IP} is self WAN IP
From "action=deny policyid=0", showing that was because of Last Policy, because of Public WiFi Network isolated:
- The (default) drop rule that is the last rule in the policy and that is automatically added has a policy ID number of 0.
Finally, solved it by:
confg router policy
edit 0
set input-device "dmz"
set src "192.168.0.0/255.255.255.0" #{SUBNET-ID}/{SUBNET-MASK}
set dst "192.168.0.0/255.255.255.0"
set output-device "dmz"
next
end
Update