Description | This article describes that byte count is not displayed in firewall policy statistics for hairpin NAT traffic. |
Scope | FortiOS. |
Solution |
When traffic is being evaluated and processed by a firewall policy, statistics such as hit count and byte count are collected and recorded as highlighted in this document: Seven-day rolling counter for policy hit counters.
The statistics are being derived from the statistics of the following command:
diagnose firewall iprope show 100004 <firewall policy ID>
Sample:
Juara-kvm02 # diagnose firewall iprope show 100004 1
The same information can be observed in the GUI firewall policy:
However, Hairpin NAT traffic will not be recorded as the traffic did not leave FortiGate:
session info: proto=6 proto_state=01 duration=321 expire=3593 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=5
The statistics show that only the policy hit count is recorded:
Juara-kvm02 # diagnose firewall iprope show 100004 2
This is an expected behavior for hairpin NAT traffic. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.