FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 293410
Description This article describes that the policy rule 'all source ip/service to all' has been created for the outbound traffic flow but the deny log is still recorded in the forward traffic log.
Scope FortiGate v7.0.

In the forward traffic log below, found the deny log caused by 'no session matched'.


2023-12-29_14_37_05 (2).png


The commands below could look into the session table records.

Filter-related IP address and service port:


diagnose sys session filter src <----- The related source IP address for the outbound traffic flow.

diagnose sys session port 25  <----- The related service port number in the traffic flow.


In this case, there is no session has been established in the table:


diagnose sys session list
total session 0    <-----  Result.


Capturing packet for further investigation packet flow details:


diagnose sniffer packet any 'host and port 25' 4 0 l <----- Filter by the source IP address and service port
filters=[host and port 25]
2024-01-08 10:50:13.313209 port2 in -> rst 3249793968 ack 1677881727
1 packets received by filter
0 packets dropped by kernel


In the packet flow, the TCP three-way-hand-shaking first packet SYN has never been received but the RST/ACK packet yes.

This means that in an asymmetric environment if the FortiGate does not receive an SYN packet, it will not establish a session and allow it even if the policy rule has been created.