This issue is caused by a bug introduced in v7.4.4 and v7.4.7 also where FortiGate blocks traffic if a one-time schedule or recurring schedule is used in the explicit proxy policy.

The traffic matches the implicit deny policy even though the schedule is showing active (not expired) due to WAD getting the wrong time zone after chroot.

execute time

diagnose test app wad 1000

diagnose test app wad 2300

diagnose test app wad 156

diagnose debug enable

diagnose debug console timestamp enable

diagnose wad debug enable level info

diagnose wad debug enable category policy

Sample output:

Ertiga-kvm10 # [I]2024-08-02 16:36:35.846993 [p:2075][s:305508864][r:227] wad_http_conn_req_classify :6140 no security profil
e HTTPS/HTTP, tport=443
[I]2024-08-02 16:36:35.850427 [p:2075][s:305508864][r:227] wad_fast_match_is_enable :3678 fast matching is enabled
[I]2024-08-02 16:36:35.850472 [p:2075][s:305508864][r:227] wad_fast_match_pol_array :3499 fw_pol_id=1(pol_ctx:xhcf|Ad|7?|=p
) pol_id=0(pflag:H|W|U|A) asyn_info=1
[W]2024-08-02 16:36:35.850494 [p:2075][s:305508864][r:227] wad_fast_match_pol_array :3537 No policy matched
[I]2024-08-02 16:36:35.850499 [p:2075][s:305508864][r:227] wad_fw_policy_async_match :5319 pol_ctx:xhcf|Ad|7?|=d
[I]2024-08-02 16:36:35.850512 [p:2075][s:305508864][r:227] wad_http_req_policy_set :11172 match policy-id=0(pol_ctx:xhcf|Ad
|7?|=d) vd=0(ses_ctx:x|Ph|Me|Hh|C|A7|O) (10.160.2.30:57574@4 -> 172.217.25.196:443@3)
[E]2024-08-02 16:36:35.850556 [p:2075][s:305508864][r:227] wad_http_req_proc_policy :10729 POLICY DENIED
[W]2024-08-02 16:36:35.974849 [p:2075][s:305508851][r:228] wad_http_req_check_policy :12877 configuration changed pol_res->co
nf_gen=10 g_wad.config_gen/vd.policy=11/11

This issue is fixed in v7.6.0.

Apply the 'always' schedule as a workaround until the system is upgraded to the fixed version.