FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


This article describes how to check policy matching for Policy-based operation mode.


In Policy-based mode firewall policy will split into 2 sections.

Native policy

Application control policy

FOS version

SSL Inspection & Authentication.

CLI : config firewall policy

Security Policy.

CLI : config firewall security-policy.

7.0 & 6.4.

SSL Inspection & Authentication.

CLI : config firewall consolidated policy.

Security Policy.

CLI : config firewall security-policy.

6.2.3 above.

Firewall Policy
CLI : config firewall consolidated policy.

Security Policy.

CLI : config firewall security-policy.

6.2.3 below.

As policy split into 2 sections, when performing troubleshooting to check traffic is hitting on which policy by using debug flow (refer to FD30038 for detail command) will only able to show it hitting policy define in native policy. To debug on Security Policy which is handle by IPS, we need to use below debug

To start debug.

# diagnose ips pme debug enable
# diagnose debug enable

To stop debug.

# diagnose debug disable
# diagnose ips pme debug disable

** Note.
You can also BPF filter for the PME debugs for specific traffic

diagnose ips filter set "host and port 443"


It is also advised to run these debugs with extra caution preferably during low traffic

Above debugging only require deeper investigation why it not hitting the correct policy, using session list able to provide quick view on which policy it is hitting.
Below example show SSH traffic coming from host to destination, as visible highlighted in RED color indicate matching policy for firewall policy 2 (policy_id) and security policy 2 (ngfwid).

session info: proto=6 proto_state=11 duration=3 expire=29 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty nb ndr npu
statistic(bytes/packets/allow_err): org=160/3/1 reply=131/2/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=9->16/16->9 gwy=
hook=post dir=org act=snat>
hook=pre dir=reply act=dnat>
hook=post dir=reply act=noop>
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00001540 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=2
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=75/75, ipid=132/146, vlan=0x0000/0x0000
vlifid=132/146, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=10/11
no_ofld_reason:  block-by-ips redir-to-ips

Above session indicate traffic have been dropped by IPS, refer to last line.