Users operating Transparent Proxy mode may sometimes encounter situations where denied logs are not recorded, even when a deny policy exists.

Here are three very simple Transparent Proxy policies where generating logs are enabled on the Policy No.53.

Here are two proxy address objects:

A user accessing "www.enoan2107.com" is NOT allowed by Policy No.53.

However, no logs appear:

The Wireshark PACP file and the session table indicate that the FortiProxy-Server session is in the 'SYN_SENT' state.

A user accessing 'www.httpforever.com' is NOT allowed by the Policy No.53. Log appears.

date=2025-11-26 time=13:18:35 eventtime=1764130715000 tz="+0900" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.114 srcport=51366 srcintf="port2" srcintfrole="undefined" dstip=146.190.62.39 dstport=80 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=1882625781 proto=6 action="deny" policyid=53 policytype="policy" poluuid="f74b352e-ca60-51f0-ffaf-50bd006f353f" policyname="Proxy_address_policy" service="HTTP" trandisp="noop" url="http://www.httpforever.com/favicon.ico" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high" msg="Traffic denied because of transparent proxy policy"

The Wireshark PACP file and the session table indicate that the FortiProxy-Server session is in the 'ESTABLISHED' state.

The difference between the two cases is whether the TCP 3-way handshake between a FortiProxy and a server is fully established or not.

This is an expected behavior. If a session is NOT established between a FortiProxy and a server, FortiProxy is unable to write logs.