Administrators may observe the following:

1. PBR rule is configured correctly (source, destination, outgoing interface, gateway).
2. diagnose firewall proute list shows the PBR rule is matched.
3. Logs show sessions hitting the VIP or outgoing interface, but:
4. No sessions appear under the firewall policy.
5. Traffic does not pass through the firewall.
6. Traceroute fails or times out after a few hops.

In some cases, disabling PBR allows the traffic to pass normally.

Typical log behavior:

No matching firewall policy.
Policy ID 0 hits.
Sessions dropped due to an 'implicit deny'.

Cause:

1. Policy-Based Routing only decides where to send the traffic (routing decision). It does not decide whether traffic is allowed.
2. Even when PBR forwards traffic through a chosen WAN interface, the firewall engine still requires a matching firewall policy to allow the session.
3. If no firewall policy matches the traffic (source → destination → service), the FortiGate will:
   1. Apply routing logic according to the PBR.
   2. Attempt to forward the traffic.
   3. Then drop the session, because there is no allow policy.

Traffic hits the implicit deny (policy 0).

This results in:

• No 'Allowed' logs.
• No policy hits.
• Traffic failing despite PBR matching.

PBR = Routing decision.
Firewall Policy = Security decision.
Both are mandatory.

Common Scenarios Where This Occurs:

1. PBR points traffic to a different WAN (WAN2), but the firewall policy only allows traffic via WAN1.
2. VIP traffic appears as 'VIP hit', but no associated policy hit is seen.
3. Traceroute reaches 2–3 hops, then stops → because traffic is routed, but not allowed.
4. Asymmetric Routing occurs when incoming and outgoing interfaces do not match the policy.

Solution:

1. Ensure a Matching Firewall Policy Exists for PBR Traffic.

Navigate to: Policy & Objects → Firewall Policy → Create/Edit Policy.

Key requirements:

Incoming Interface = Source LAN interface.
Outgoing Interface = Same as PBR outgoing interface (example: WAN2).
Source Address = Users/subnet used in PBR.
Destination Address = All or specific.
Services = Required ports.
NAT = Enable (if Internet traffic).

CLI Example:

config firewall policy
    edit <policy_id>
        set srcintf "LAN"
        set dstintf "wan2"
        set srcaddr "PBR-users"
        set dstaddr "all"
        set service "ALL"
        set action accept
        set nat enable
    next
end

2. Verify firewall policy hit count.

Use:

diagnose firewall proute list

PBR hit count should increment.

Then check:

get firewall policy <policy_id>

Hit count should increase during testing.

3. Re-test Traffic Flow.

After the firewall policy is added, traceroute should complete.

Traffic should hit the correct allow policy.
VIP traffic should show a correct policy match.
No more sessions hitting policy 0.

Verification:

1. Traffic Logs should now show Allowed actions and the correct outgoing interface.
2. Matched policy ID.
3. Sniffer:

diagnose sniffer packet any 'host <destination>' 4 0 a

Debug Flow (if needed):

diagnose debug flow filter addr <source_IP>
diagnose debug flow show function-name enable
diagnose debug enable
diagnose debug flow trace start 100

It should now show:

Allowed by policy X
Found policy route
Correct interface handoff

Conclusion:

Policy-Based Routing controls how traffic is forwarded, but does not override firewall security policies.

A correct and matching firewall policy is always required to allow traffic, even if PBR already routes the packet.

Without the firewall policy:

Traffic matches the PBR but is dropped by implicit deny, resulting in timeouts, unreachable destinations, and no policy hits

Adding the correct firewall policy ensures traffic flows successfully through the PBR-defined path.