Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
yangw
Staff
Staff

Created on ‎08-06-2025 08:25 AM Edited on ‎10-15-2025 09:31 PM By Community Manager

Article Id 404761

Troubleshooting Tip: Firewall Policy Not Matching for one-arm packet flow After Upgrading from v7.2.10 to v7.2.11

Description This article describes the steps to troubleshoot and resolve the issue of the firewall policy not matching for one-arm packet flow after upgrading from FortiGate v7.2.10 to v7.2.11. The issue occurs when the traffic flow does not match the expected firewall policy rule, despite the rule being configured correctly.
Scope FortiGate v7.2.11.
Solution

The following commands can be used to verify whether a one-arm packet flow matches the intended policy rule:

 

diagnose debug reset

diagnose debug console timestamp enable

diagnose deb flow filter addr x.x.x.x y.y.y.y and        

diagnose deb flow filter port x (destination port)

diagnose debug flow show function-name enable

diagnose debug flow show iprope enable

diagnose deb en

diagnose deb flow trace start 9999

 

After reproducing the issue to generate the relevant debug logs. Afterwards, disable debugging with the following commands:

 

diagnose deb dis

diagnose deb reset

 

In v7.2.10, one-arm (internal-to-internal) packet flows will correctly match and apply the designated policy rule with ID 2010.

 

policy_2010_for_7.2.10_hit.png

 

However, after upgrading from v7.2.10 to v7.2.11, the same one-arm packet flow will be forwarded, but will no longer match any policy rules by default.

 

policy_2010_for_7.2.11_no_hit.png

To resolve this issue:

Check if the allow-traffic-redirect setting is enabled or disabled according to network requirements. Verify this setting by running 'config system global and then get allow-traffic-redirect'.


It is recommended to set 'allow-traffic-redirect' to disable. For IPv4 policies, this configuration keeps the traffic on the original incoming interface and applies the proper policy check.

 

FortiOS behavior change explanation:

Before upgrading to v7.2.11, if 'allow-traffic-redirect' was enabled (the default), FortiGate would drop one-arm packets if their source IP was in a different subnet than the incoming interface. After upgrading to v7.2.11, by default, one-arm traffic will always be forwarded without any policy matching.

 

This is also applicable to other FortiOS versions. The change took effect on v7.0.16, v7.2.11, v7.4.4, and v7.6.0.

The behavior was changed. Search for Release Notes -> Changes in default behaviorID 985508, and no policy or existing session will be required if allow-traffic-redirect is enabled.

If allow-traffic-redirect is disabled, FortiGate will perform a policy match.

 

Related documents:

Changes in default behavior
Technical Tip: How to allow traffic when using the same logical interface for ingress and egress wit...
308
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.