In this case, it means that the utmaction-based report contains partial and erroneous information, in the sense that
-it includes sessions that have been blocked due to security events totally not related to web filtering (like viruses and application exploits, but on allowed site categories)
-all the portions of the sessions that were finally blocked for site category violation are ignored, so the bandwidth usage reported is false (the allowed sites used more traffic than reported)
It is important to note that the notion of SESSION in the context of the logs seems to refer not to low-level protocol sessions, but to high-level, user sessions. This means that more low-level sessions (with different src/dst ports) are logged as linked into a high-level user session. Could you please confirm or infirm this?
We could try to refine the filter by selecting countapp, countav, countips etc. = 0. As for the traffic before the session gets blocked, do you have any suggestion how to include it in the report?
Thank you in advance, you are by far the most customer-friendly Fortinet team member I ever seen! (Keep it up like this, PLEASE! Things get more complicated and less documented day after day...)