Skip to content

Session Not Matching the Expected Policy

Symptom: you created a policy that should match traffic, but it's not catching what you expect — either deny policy isn't blocking, or accept policy isn't passing.

Diagnose

1. Find which policy IS matching

Use Debug Flow to see what FortiGate actually does with the packet.

diagnose debug flow filter clear
diagnose debug flow filter saddr <source-ip>
diagnose debug flow filter daddr <dest-ip>
diagnose debug flow show function-name enable
diagnose debug enable
diagnose debug flow trace start 10

The output reveals which policy ID was matched. Compare with what you expected.

2. Check policy order

diagnose firewall iprope show 100004 | grep "rule "

Lists policies in evaluation order with hit counts. Top-down matching — first match wins.

3. Verify policy criteria

A common cause: source/dest/service narrower than the actual traffic.

  • Source: address object matches the actual source IP?
  • Destination: for VIPs, destination is the VIP object (not the underlying IP).
  • Service: if HTTPS, only TCP/443 matches — not 8443 or 4443. Use a custom service or ALL for testing.
  • Schedule: always?
  • Source User Groups: FSSO know about the user?

4. Verify the policy is enabled

diagnose firewall iprope show 100004 | grep "rule <id>"

Disabled policies still show in the list but don't match traffic.

Common Specific Issues

Higher-priority deny policy catching first

Reorder. Drag the specific accept above the broad deny.

VIP destination not used

When using a VIP, the firewall policy's Destination must be the VIP object, NOT the underlying internal IP. The VIP handles NAT; the policy's destination is what triggers the VIP.

Service object too narrow

Test with Service = ALL first. If it works, narrow the service.

Source User Group with FSSO

User not visible to FortiGate. Check diagnose firewall auth list | grep <user>. If absent, FSSO isn't working — see Configure FSSO.

Session reuse

Pre-existing sessions matched OLD policy at start. Force re-evaluation:

diagnose sys session filter src <source-ip>
diagnose sys session clear

New connections evaluate fresh.