FortiGate Phantom Traffic

Alright,

so we just migrated our datacenter firewall from a Cisco ASA to new FortiGate boxes, and inside this DC is our primary/active FortiManager VM. Well with this migration we pre-created the DNAT policy to map a public address to the inside IP of the FortiMAnager VM but intentionally did not create a security policy expecting all the traffic would be blocked and all the external/remote boxes would disconnect.

To our surprise, after the migration was completed we logged into FortiManager and found that all the remote firewalls are still connected and fully communicating. After this discovery we quickly logged into the edge firewall and do not see a single trace of that traffic outside of hit counters on the DNAT rules. It's as if this traffic doesn't exist - the only thing demonstrating it exists are all the connected devices.

The firewall is running in policy-based mode, and there is currently a 1:1 DNAT rule, but no security policies for the flow. Has anyone experienced this or know why this could be occurring? We opened a support case but the engineer seemed stumped and is escalating the issue internally. Figured id ask the group as we obviously want to ensure out FortiManager and any other potential systems aren't exposed.