Description
When session helpers are involved to allow traffic for an expect session, and traffic logs generated for these sessions references a policy id does not really indicate a correct policy match.
Solution
Once an expect session is created, it acts as a pinhole on the firewall policy. Traffic matching the expect session does not need the approval of firewall policy to be forwarded by the system.
The policy id value in the expect session is just a copied value of the policy ID (typically from the oldest master session that used session helper).
For example, in a test setup that had only one firewall policy that allowed traffic from LAN subnet to internet as below.
FortiGate-100EF # show firewall policy
# config firewall policy
edit 3
set name "lan-internet"
set uuid 8597486e-1ba0-51ec-be80-7ef6261890d3
set srcintf "lan"
set dstintf "wan1"
set action accept
set srcaddr "10.200.220.0_24"
set dstaddr "all"
set schedule "always"
set service "DNS" "FTP"
set logtraffic all
set nat enable
next
end
FortiGate-100EF #
Traffic logs were found matching policy id 3 with below info.
date=2021-09-22 time=05:51:39 eventtime=1632315099560088126 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root"
srcip=204.76.241.31 srcport=20 srcintf="wan1" srcintfrole="undefined" dstip=10.5.52.124 dstport=60426 dstintf="lan" dstintfrole="lan" srccountry="United States" dstcountry="Reserved"
sessionid=2707418 proto=6 action="close" policyid=3 policytype="policy" poluuid="8597486e-1ba0-51ec-be80-7ef6261890d3" policyname="lan-internet" service="tcp/60426"
trandisp="dnat" tranip=10.200.220.1 tranport=54170 duration=2 sentbyte=272 rcvdbyte=212 sentpkt=6 rcvdpkt=5 appcat="unscanned" psrcport=61106 pdstport=21
Though there is no policy in firewall that allowed traffic from WAN1 interface to LAN, pinhole sessions are created by session helpers which does not need any firewall policy match to allow the traffic.
