FortiGate Policy Not Working – Step-by-Step Troubleshooting

Introduction

Firewall policies are the core of traffic control on FortiGate devices. One of the most common problems administrators face is creating a firewall policy that looks correct but does not allow traffic to pass. Even small misconfigurations can cause policies to fail silently.

This article explains why FortiGate firewall policies may not work and provides a clear, step-by-step troubleshooting process to identify and fix the issue.

Problem Description

A firewall policy is created on FortiGate with the correct source, destination, and service. However, traffic does not pass through the firewall. Users cannot access the internet, servers, or internal resources, even though the policy appears to be enabled.

This issue usually occurs due to policy order, interface mismatch, NAT configuration, or routing problems.

Common Symptoms

• Traffic is blocked despite an allow policy
• Policy counters show zero hits
• Logs show implicit deny
• FortiGate itself has internet access but users do not
• VPN or LAN traffic fails unexpectedly

Quick Checks Before Troubleshooting

1. Confirm the policy is enabled
2. Check policy order (top to bottom processing)
3. Verify source and destination objects
4. Enable logging on the policy

These simple checks often reveal the issue quickly.

Possible Causes

Policy Order Issue

FortiGate processes firewall policies from top to bottom. If a deny policy appears above the allow policy, traffic will never reach the intended rule.

Incorrect Incoming or Outgoing Interface

Firewall policies are interface-based. If the incoming or outgoing interface does not match the actual traffic flow, the policy will never be used.

NAT Not Enabled

For internet access, NAT must be enabled in the policy. Without NAT, traffic may leave the firewall but replies will not return.

Address Objects Not Matching Traffic

Incorrect subnet definitions, wrong address objects, or overlapping networks can prevent traffic from matching the policy.

Service Mismatch

The selected service may not match the actual traffic. For example, allowing HTTP while the traffic is HTTPS will result in blocked connections.

Routing Issues

Even with a correct policy, traffic will fail if FortiGate does not know where to send it. Missing or incorrect routes can cause silent failures.

Step-by-Step Troubleshooting

Step 1: Check Policy Order

Move the allow policy above any deny or more general policies. Ensure there is no implicit deny rule blocking traffic first.

Step 2: Verify Interfaces

Confirm:

• Incoming interface matches the source network
• Outgoing interface matches the destination network

A single interface mismatch is enough to break the policy.

Step 3: Enable Policy Logging

Enable logging on the policy and check traffic logs to see whether traffic is hitting the policy or being denied elsewhere.

Step 4: Review NAT Settings

For internet-bound traffic:

• Enable NAT in the policy
• Confirm correct outgoing interface

Without NAT, return traffic will fail.

Step 5: Verify Address Objects

Check:

• Source address subnet
• Destination address subnet
• No overlap or incorrect masks

Use “all” temporarily for testing if needed.

Step 6: Check Services

Set service to “ALL” temporarily to rule out service mismatch issues. If traffic works, narrow the service list later.

Step 7: Verify Routing

Check routing table to confirm:

• Default route exists for internet traffic
• Specific routes exist for internal or VPN networks

Routing issues often look like policy problems.

Step 8: Use Debug Flow (Advanced)

If the issue persists, use FortiGate debug tools to trace traffic flow and identify where it is dropped.

Verification and Testing

After fixing the issue:

• Policy counters should increase
• Traffic logs should show allowed sessions
• Users should regain access
• No implicit deny logs should appear

Best Practices

• Keep firewall policies simple and clean
• Comment policies clearly
• Avoid overlapping address objects
• Enable logging during testing
• Review policy order after every change

Common Mistakes

• Creating policies in the wrong order
• Forgetting to enable NAT
• Using incorrect interfaces
• Assuming policies work without checking logs

Final Thoughts

When a FortiGate firewall policy does not work, the problem is rarely complex. In most cases, the issue is related to policy order, interface mismatch, NAT settings, or routing. A structured troubleshooting approach makes it easier to identify the root cause and restore connectivity quickly.