Methodology: Test Before Tuning
Do not start changing firewall rules until you have confirmed exactly where traffic is being blocked. FortiGate has excellent built-in diagnostic tools.
Step 1: Policy Lookup Test
Navigate to Network then Diagnostics then Policy Lookup.
Enter source IP, destination IP, destination port, and protocol. FortiGate will show exactly which policy would match.
If no policy matches, traffic is implicitly denied — add the missing rule.
Step 2: Packet Sniffer (CLI)
From the CLI, run the sniffer to see if traffic is arriving at the firewall. If you see packets arriving but none going out, the firewall is dropping them.
Step 3: Debug Flow (CLI)
Enable debug flow to trace exactly what the firewall does with a packet. Look for policy check failures or reverse path check failures.
Common Causes and Fixes
| Symptom | Likely Cause | Fix |
|---|---|---|
| Specific website blocked | Web filter category | Add URL exception |
| App traffic blocked | Application control | Add application exception |
| All traffic blocked after change | Policy ordering | Move policy higher in list |
| Intermittent drops | IPS blocking legitimate traffic | Check IPS logs, add bypass |
| VPN connected but no access | Split tunnel or route | Add route to VPN phase 2 |
IPS False Positive Check
Navigate to Log and Report then Intrusion Prevention. Filter by source IP. If legitimate traffic is being blocked, add an IPS sensor override for that signature.
Useful CLI Quick Reference
- get system performance status: CPU and memory overview
- get router info routing-table all: routing table
- diagnose sys session list: active sessions
- execute ping from specific interface: use ping-options source before execute ping
*Related: Networking and Security Dubai | Managed IT Services Dubai*
Tags
SAS IT Services — Dubai
Need expert IT support?
Our certified engineers cover all of Dubai & UAE with same-day response and 24/7 support contracts.