This is a common scenario in Cloud or VM environments when the traffic is expected to Ingress and Egress from the same interface, making FortiGate act as a one-arm sniffer or SNAT purposes.

2025-03-19 10:54:49.603554 port2 in 10.212.105.163.59880 -> 10.20.134.15.443: syn 940505181
2025-03-19 10:54:49.603585 port2 out 10.212.105.163.59880 -> 10.20.134.15.443: syn 940505181
2025-03-19 10:54:49.603588 sriovslv1 out 10.212.105.163.59880 -> 10.20.134.15.443: syn 940505181
2025-03-19 10:54:49.855776 port2 in 10.212.105.163.59882 -> 10.20.134.15.443: syn 2864824995
2025-03-19 10:54:49.855806 port2 out 10.212.105.163.59882 -> 10.20.134.15.443: syn 2864824995
2025-03-19 10:54:49.855809 sriovslv1 out 10.212.105.163.59882 -> 10.20.134.15.443: syn 2864824995

This is an expected behavior when 'allow-traffic-redirect' is enabled under system settings. The traffic is redirected instead of flowing through the policy set.

This behavior is enabled by default, but it can be modified under system global settings.

config system global
    set allow-traffic-redirect enable*|disable <----- Default value.
end

After disabling this, the log is generated when the traffic flows through the firewall policy configured from port 2 to port 2.

Note: Starting from versions v7.0.16, v7.2.11, v7.4.4, and v7.6.0, FortiGate introduced a change in traffic handling where enabling allow-traffic-redirect bypasses the need for a firewall policy or existing session, allowing traffic to be redirected seamlessly, whereas disabling allow-traffic-redirect causes FortiGate to check for a firewall policy matching the traffic.

The command is not supported on FortiProxy.

Related article:
Technical Tip: Traffic handled by FortiGate for packet which ingress and egress same interface