Skip to main content
mpapisetty
Staff
mpapisetty
Staff
January 9, 2026

Troubleshooting Tip: Traffic continues to match firewall policy after Virtual IP removal

  • January 9, 2026
  • 0 replies
  • 586 views
Description This article describes a scenario where traffic continues to match a firewall policy on a FortiGate even after the associated Virtual IP (VIP) has been removed. The article provides a step-by-step guide to resolving this issue by clearing existing sessions in the session table.
Scope FortiGate.
Solution

To resolve this issue, follow these steps:

  1. Identify the existing sessions in the session table that are continuously refreshed by traffic. This can be done by running the 'diagnose sys session list' command. If the session list is huge, refer to this article to know how to filter the sessions: Technical Tip: How it is possible to use 'filter' with 'diagnose sys session list' command to get the intended result.
  2. Clear the existing sessions using the 'diagnose sys session clear' command. Apply the appropriate filters to clear specific sessions of interest, for example, diagnose sys session filter dst followed by diagnose sys session clear.
  3. Verify that the sessions have been cleared by running the command diagnose sys session list again, with filters.
  4. Test the firewall policy to ensure that traffic is no longer matching the old policy.

 

In the following example, the Virtual IP sessions were filtered with the internal port:
VIP config:


vip-example.png
Session Clear:


vip-session-clear.png

 

Collect the debug flow and iprope list output for VIP rules before applying the above; this will make sure that the VIP is not in use for any policy:

 

  • Debug flow:

diagnose debug reset
diagnose debug flow show fun en
diagnose debug flow filter addr x.x.x.x <-------------- Where x.x.x.x is the source IP address.
diagnose debug flow filter addr y.y.y.y <-------------- Where y.y.y.y is the destination IP address.
diagnose debug flow trace start 999
diagnose debug enable

 

Replicate the issue.


After 10-20 seconds, disable the logs by executing the following:

 

diagnose debug disable

 

  • iprope list output:

 

diagnose firewall iprope list 100000

 

The VIP will still be used for source NAT, even when not applied in a policy, to avoid having issues. To avoid issues, the best approach is to delete it and keep the configuration as clean as possible.

 

By default, VIP gets hit if traffic comes from any source/ any interface, hence source filter with IP or source interface can be configured to limit the VIP usage.

 

config firewall vip
    edit "<VIP>"
        set src-filter <ip address>
        set srcintf-filter <interface-name> ---> Multiple interfaces can be added.

end
        

 

Related articles: 

Technical Tip: iPrope policies group

Technical Tip: Mapping VIP outbound connections (Source NAT) 
    Terms & ConditionsAccessibility statement