Troubleshooting Tip: Traffic continues to match firewall policy after Virtual IP removal

mpapisetty · ‎01-08-2026

Description

This article describes a scenario where traffic continues to match a firewall policy on a FortiGate even after the associated Virtual IP (VIP) has been removed. The article provides a step-by-step guide to resolving this issue by clearing existing sessions in the session table.

Scope

FortiGate.

Solution

To resolve this issue, follow these steps:

Identify the existing sessions in the session table that are continuously refreshed by traffic. This can be done by running the command diagnose sys session list. If the session list is huge, refer to this article to know how to filter the sessions: Technical Tip: How it is possible to use 'filter' with 'diagnose sys session list' command to get th....
Clear the existing sessions using the command diagnose sys session clear. Apply the appropriate filters to clear specific sessions of interest, for example, diagnose sys session filter dst followed by diagnose sys session clear.
Verify that the sessions have been cleared by running the command diagnose sys session list again, with filters.
Test the firewall policy to ensure that traffic is no longer matching the old policy.

Collect the debug flow and iprope list output for VIP rules before applying the above; this will make sure that the VIP is not in use for any policy:

diagnose firewall iprope list 100000

Related article:

Technical Tip: iPrope policies group

Troubleshooting Tip: Traffic continues to match firewall policy after Virtual IP removal

You are leaving our website