Use Debug Flow (diagnose debug flow)

While the packet sniffer shows "what packets are crossing," debug flow shows "what FortiGate does with each packet" — which policy matched, which route was used, whether NAT happened, why a packet was dropped. The most powerful single tool for FortiGate firewall debugging.

Steps

1. Set the filter

Narrow what you'll debug — debug flow on unfiltered traffic produces unreadable noise.

diagnose debug flow filter clear
diagnose debug flow filter saddr <source-ip>
diagnose debug flow filter daddr <destination-ip>
diagnose debug flow filter port <port>      # optional
diagnose debug flow filter proto <num>      # 6=TCP, 17=UDP, 1=ICMP

2. Show function names (useful context)

diagnose debug flow show function-name enable
diagnose debug flow show iprope enable

3. Start the trace

diagnose debug enable
diagnose debug flow trace start 10    # capture 10 packets, then stop

4. Generate test traffic

From the source IP, hit the destination (ping, browser, curl).

5. Watch output

You'll see step-by-step what FortiGate did:

id=20085 trace_id=1 func=resolve_ip_tuple_fast line=5897
  msg="vd-root:0 received a packet(proto=6, 10.0.0.50:55432->8.8.8.8:443)"
id=20085 trace_id=1 func=resolve_ip_tuple line=5980
  msg="allocate a new session-...
id=20085 trace_id=1 func=fw_forward_handler line=803
  msg="Allowed by Policy-5: SNAT"
id=20085 trace_id=1 func=__ip_session_run_tuple line=3424
  msg="SNAT 10.0.0.50->203.0.113.10:55432"

This trace tells you: - Packet was received. - Matched Policy 5. - SNAT'd to WAN IP.

6. Stop debug

diagnose debug disable
diagnose debug flow filter clear

(Important: leaving debug enabled fills logs.)

Interpreting Common Messages

• "reverse path check fail, drop" — packet's source IP doesn't match the route FortiGate thinks it should come from. Often asymmetric routing or spoofed packet.
• "no matching policy" — packet hit implicit deny; no firewall policy matched.
• "sse_match denied" — session-based deny.
• "iprope_in_check() check failed on policy 0" — implicit deny (policy 0).
• "vf=0 ifindex=12 mtu=1500 ttl=64" — packet info.

Example: Debug "client can't reach the internet"

diagnose debug flow filter clear
diagnose debug flow filter saddr 10.0.0.50
diagnose debug flow filter daddr 8.8.8.8
diagnose debug flow show function-name enable
diagnose debug enable
diagnose debug flow trace start 5

# From client:
ping 8.8.8.8

# Watch — should see policy match + SNAT + egress on wan1.
# If you see "no matching policy" — firewall policy missing.

diagnose debug disable

Related Pages

• Use the Packet Sniffer
• Session Not Matching the Expected Policy
• Clients Cannot Reach the Internet