WAD, which stands for WAN Optimization Daemon in FortiGate, handles several tasks apart from WAN optimization, namely proxying traffic, web filtering, web caching, etc. While troubleshooting WAD-related issues/crashes, debugs can be enabled using the following CLI commands.

FortiGate# diagnose wad debug enable ?
all           Enable all debug categories and set to the maximum level.
level         Level debug setting.
category      Category debug setting.

FortiGate# diagnose debug enable 

Current debug duration is 30 minutes, 0 minutes 33 seconds have passed.  <-- Look for this message.

But sometimes it may be noticed that even when debugs are enabled, no output might be printed in the CLI terminal. Here are a few possible reasons why this could be happening and how to address them.

1. Check the active Inspection mode:

Since the inspection mode can be manually changed either at the global settings or at the individual policy level on the FortiGate, verify first which mode is enabled for the traffic that is being troubleshooted.

Note that the default inspection mode on the firewall policies is 'Flow-based' mode, and with this mode enabled, the GUI might not show the inspection mode section for some of the FortiGate models, as shown in the examples below.

It will show the mode only if 'Proxy-based' mode is enabled manually, which might cause some confusion to identify which mode is currently enabled just by looking at this screen on the GUI.

Figure 1: Firewall policy with flow mode enabled (default), but doesn't show the "Inspection mode" section.

Compare this with the below example, where inspection mode is manually changed to proxy mode using CLI (either global settings or per firewall policy), where the Inspection-mode now shows the new section clarifying which mode is active.

Figure.2: Firewall policy with proxy mode enabled, now shows the "Inspection mode" section.

The WAD debugs will show outputs only for 'Proxy-based' mode, so verify which mode is active using the above steps. This can be reviewed from the CLI as well. In the below example, the inspection-mode is the default 'Flow-based mode', and with this mode again even in CLI, it might not show which mode is active with just the 'show' output. This behavior is expected.

FortiGate# config firewall policy

FortiGate(policy) # edit "1"

FortiGate(1) # show
config firewall policy
    edit 1
        set name "Internet-webfilter"
        set uuid b36069ac-4acb-51f0-83d5-3e470f78308b
        set srcintf "port2"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "Deep-inspection-Cert-tests"
        set webfilter-profile "web-filter-test"
        set ips-sensor "default"
        set application-list "default"
        set nat enable
    next

Use the below 'show full' command to find the inspection-mode that is currently enabled.

FortiGate(1) # show full | grep inspection-mode
    set inspection-mode flow

If WAD debugs are enabled with the above default flow-based configs, it will not print any debugs, which is expected. Review the requirement and (only) if proxy-based mode is needed, enable this config change and then re-enable the WAD debugs, which would then print the relevant debugs.

FortiGate# config firewall policy

FortiGate(policy) # edit "1"

FortiGate(1) # set inspection-mode proxy

    next

2.  Check for any previously enabled WAD filter settings:

The 'diagnose debug info' CLI is commonly used to verify which process debugs are enabled. Below is an example output where wad debugs have been enabled at level -1, along with a wad filter. Note that while this seems like a central debug info command, it shows all the debugs enabled but does not include the debug filters.

FortiGate# diagnose debug info
debug output: disable
console timestamp: enable
console no user log message: disable
zebos debug level: 306783954 (0x124926d2)
wad debug level: -1 (0xffffffff)  <---------- Shows that WAD debug has been enabled, but no info about WAD filters.
CLI debug level: 3
WAD console log: enable <-------- Shows WAD console debug enable status, but not about WAD filter details.

===== IPS debug settings =====
2025-06-16 11:06:28 IPS Engine <02044> Enabled debug actions: 2025-06-16 11:06:28
2025-06-16 11:06:28 IPS Engine <02147> Enabled debug actions: 2025-06-16 11:06:28

===== IPS SSL debug settings =====
2025-06-16 11:06:29 IPS Engine <02147> ssl debug level is "none"

===== IP router debug settings =====
BGP debugging status:
BGP debug level: ERROR
timestamp enabled

IS-IS debugging status:
IS-IS debugging level is CRITICAL
timestamp enabled

OSPF debugging status:
OSPF debugging level is ERROR
timestamp enabled

PIM-DM Debugging status:
PIM-DM VR-VRF Context debugging is off
PIM-DM Decoder debugging is off
PIM-DM Encoder debugging is off
PIM-DM FSM debugging is off
PIM-DM MRT debugging is off
PIM-DM NHOP debugging is off
PIM-DM NSM debugging is off
PIM-DM VIF debugging is off
PIM dense-mode debug level: CRITICAL
timestamp enabled

Debugging status (0) :
PIM sparse-mode debug level: CRITICAL
timestamp enabled

RIP debugging status:
RIP debugging level is CRITICAL
timestamp enabled

OSPFv3 debugging status:
OSPFv3 debugging level is CRITICAL
timestamp enabled

RIPng debugging status:
RIPng debugging level is CRITICAL
timestamp enabled

Current debug duration is 30 minutes, 21 minutes 17 seconds have passed. <--- Shows debugs are enabled and active.

FortiGate#

Note: Even if a diagnose debug reset is done, it does not reset the WAD filters.

FortiGate# diagnose debug reset

FortiGate# 

Now, check for the WAD filters using the below CLI command. As shown, the filters were not reset with the diag debug reset command, and the old filters are still active.

FortiGate# diagnose wad filter list
drop unknown sessions: disabled
source ip: 192.168.10.2-192.168.10.2
dest port: 443-443

FortiGate#

Here is the CLI to clear this specific WAD filter, which might have been causing the WAD debugs to not print due to an old filter previously applied.

FortiGate# diagnose debug disable <---- Always ensure to disable debugs first before clearing debug filters.

FortiGate# diagnose wad filter clear

FortiGate# diagnose wad filter list
drop unknown sessions: disabled

FortiGate#

Now, re-enable the WAD debugs (with or without filters as needed, but the general recommendation is to always enable debugs with a specific filter so that the outputs are not overwhelming), and the debug outputs printed on the terminal should appear.

Related articles:

Technical Tip: Overview of WAD process structure

Technical Tip: Changing the inspection mode of the firewall