When I change the allowed services in my policy from "tcp_5902" to "tcp_49052", it matches the correct policy and the packets are NATted and forwarded correctly. If you are seeing a policy-id match that matches your traffic, the following will be logged via the diag debug flow. The policy that qualifies this DNS traffic is followed by a policy that stops DNS from 192.168.100.0/24. Not the same problem I was dealing with. Hi Zak, I just tested your configuration on my Fortigate at home: It also gives my a "denied by forward policy check" due to no matching policy. However, I am getting " denied by forward policy" when the qualified traffic traverses the firewall. Digging some more I found this helpful thread over at at the Fortinet forums.

And was greeted with msg=“Denied by forward policy check (policy 0)” in the console. id=20085 trace_id=20 func=fw_forward_handler line=561 msg="Denied by forward policy check (policy 12)" Solution Check if the firewall policy is configured to use ippool (one-to-one), IP used is not being configured in other ippool or same ippool used in other policies. Since I have got my new fortigate 60c firewall, I can' t connect to my teamspeak and minecraft server (they run both on a little archlinux server) through the internet , and I always get a " Denied by forward policy check - Error" when anybody tries to connect to my server. First Google search talked about Admin access. id=20085 trace_id=319 func=fw_forward_handler line=248 msg=" Denied by forward policy check" 3.2 - The following is an example of debug flow output for traffic going into an IPSec tunnel in Policy based. But funnily enough ssh and ftp work without any kind of problem. I have a policy allowing that qualified source, to the destination known DNS servers. Fortigate_Troubleshoot_Connection ***** General Commands ... Root causes for "Denied by forward policy check" 1- There is no firewall policy matching the traffic that needs to be routed or forwarded by the FortiGate (Traffic will hit the Implicit Deny rule) 2- The traffic is matching a DENY firewall policy. Any firewall policy that is automatically added by the FortiGate unit has a policy ID number of 0. If you want to explicitly drop a packet that is not matched with a firewall policy and write a log message when this happens, you can add a general policy (source and destination address set to all) to the bottom of a policy list and configure the firewall policy to DENY packets and record a log message when a packet is dropped. This was my problem. The following are the most commonly created by the FortiGate unit The (IPsec) policy for FortiAnalyzer (and FortiManager v3.00) that is automatically added when an IPsec connection to the FortiAnalyzer unit (or FortiManager v 3.00) is enabled has a policy ID number of 0.

NOTE: With the diag debug flow, if you see "Denied by forward policy check", than that means you hit a policy with the action either set to disable or you have no policy to begin with.