Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mriswan
Staff
Staff

Created on ‎09-24-2024 11:27 PM Edited on ‎09-24-2024 11:29 PM By Staff

Article Id 344028

Troubleshooting Tip: How to identify which policy is being matched for the ongoing web browsing traffic using session output

Description

This article describes how to identify which policy is being matched for the ongoing web browsing traffic using session output.

In certain scenarios, tracking the correct policy ID for ongoing browsing sessions from forward traffic logs can be challenging. However, using the session output allows us to instantly and accurately identify which policy is being matched.
Scope FortiGate.
Solution
  • Open the browser's Developer Tools (usually accessible via F12 or 'right-clicking' the page and selecting Inspect).
  • Navigate to the Network tab.
  • Perform the action that initiates the session (such as loading a web page or selecting a link).
  • In the Network section, locate the request corresponding to the session interested in.
  • Select the request and go to the Headers tab.
  • In the headers section, look under Remote Address or Host to identify the IP address of the current session.

 

Inspect.png

 

Open the CLI console of the firewall and use the obtained as a session filter for the destination IP:

erbium-kvm21 # diagnose sys session filter dst 15.161.156.80

erbium-kvm21 # diagnose sys session list

session info: proto=6 proto_state=01 duration=122 expire=3562 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty
statistic(bytes/packets/allow_err): org=14400/60/1 reply=176232/128/1 tuples=2
tx speed(Bps/kbps): 117/0 rx speed(Bps/kbps): 1433/11
orgin->sink: org pre->post, reply pre->post dev=7->6/6->7 gwy=10.5.191.254/0.0.0.0
hook=post dir=org act=snat 10.64.11.53:45676->15.161.156.80:443(10.5.145.228:45676)
hook=pre dir=reply act=dnat 15.161.156.80:443->10.5.145.228:45676(10.64.11.53:45676)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 pol_uuid_idx=15849 auth_info=0 chk_client_info=0 vd=0
serial=00177e7a tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000100
no_ofld_reason: npu-flag-off
total session: 1
378
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.