Session Not Matching the Expected Policy¶
Symptom: you created a policy that should match traffic, but it's not catching what you expect — either deny policy isn't blocking, or accept policy isn't passing.
Diagnose¶
1. Find which policy IS matching¶
Use Debug Flow to see what FortiGate actually does with the packet.
diagnose debug flow filter clear
diagnose debug flow filter saddr <source-ip>
diagnose debug flow filter daddr <dest-ip>
diagnose debug flow show function-name enable
diagnose debug enable
diagnose debug flow trace start 10
The output reveals which policy ID was matched. Compare with what you expected.
2. Check policy order¶
diagnose firewall iprope show 100004 | grep "rule "
Lists policies in evaluation order with hit counts. Top-down matching — first match wins.
3. Verify policy criteria¶
A common cause: source/dest/service narrower than the actual traffic.
- Source: address object matches the actual source IP?
- Destination: for VIPs, destination is the VIP object (not the underlying IP).
- Service: if
HTTPS, only TCP/443 matches — not 8443 or 4443. Use a custom service orALLfor testing. - Schedule:
always? - Source User Groups: FSSO know about the user?
4. Verify the policy is enabled¶
diagnose firewall iprope show 100004 | grep "rule <id>"
Disabled policies still show in the list but don't match traffic.
Common Specific Issues¶
Higher-priority deny policy catching first¶
Reorder. Drag the specific accept above the broad deny.
VIP destination not used¶
When using a VIP, the firewall policy's Destination must be the VIP object, NOT the underlying internal IP. The VIP handles NAT; the policy's destination is what triggers the VIP.
Service object too narrow¶
Test with Service = ALL first. If it works, narrow the service.
Source User Group with FSSO¶
User not visible to FortiGate. Check diagnose firewall auth list | grep <user>. If absent, FSSO isn't working — see Configure FSSO.
Session reuse¶
Pre-existing sessions matched OLD policy at start. Force re-evaluation:
diagnose sys session filter src <source-ip>
diagnose sys session clear
New connections evaluate fresh.