FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcheng
Staff & Editor
Staff & Editor
Article Id 399941
Description This article describes that byte count is not displayed in firewall policy statistics for hairpin NAT traffic.
Scope FortiOS.
Solution

When traffic is being evaluated and processed by a firewall policy, statistics such as hit count and byte count are collected and recorded as highlighted in this document: Seven-day rolling counter for policy hit counters.

 

The statistics are being derived from the statistics of the following command:

 

diagnose firewall iprope show 100004 <firewall policy ID>

 

Sample:

 

Juara-kvm02 # diagnose firewall iprope show 100004 1
idx:1
pkts:680 (680 0 0 0 0 0 0 0)
bytes:641040 (641040 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:16 (16 0 0 0 0 0 0 0)
first hit:2025-07-07 15:51:36 last hit:2025-07-07 15:52:11
established session count:0
first est:2025-07-07 15:51:36 last est:2025-07-07 15:52:11

 

The same information can be observed in the GUI firewall policy:

 

sleekshot.png

 

However, Hairpin NAT traffic will not be recorded as the traffic did not leave FortiGate:

 

session info: proto=6 proto_state=01 duration=321 expire=3593 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=2408/14/1 reply=3265/12/1 tuples=4
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 10/0
orgin->sink: org pre->post, reply pre->post dev=4->4/4->4 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=dnat 10.251.5.68:64776->10.47.3.118:8443(10.251.3.134:443)
hook=post dir=org act=snat 10.251.5.68:64776->10.251.3.134:443(10.251.3.118:64776)
hook=pre dir=reply act=dnat 10.251.3.134:443->10.251.3.118:64776(10.251.5.68:64776)
hook=post dir=reply act=snat 10.251.3.134:443->10.251.5.68:64776(10.47.3.118:8443)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 pol_uuid_idx=15748 auth_info=0 chk_client_info=0 vd=0
serial=0010b1c0 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off

 

The statistics show that only the policy hit count is recorded:

 

Juara-kvm02 # diagnose firewall iprope show 100004 2
idx:2
pkts:0 (0 0 0 0 0 0 0 0)
bytes:0 (0 0 0 0 0 0 0 0) ---> Showing 0 despite active session and hitcount.
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:42 (42 0 0 0 0 0 0 0)
first hit:2025-07-07 16:42:45 last hit:2025-07-07 18:30:52

 

sleekshot.png

 

This is an expected behavior for hairpin NAT traffic.