Good day maybe i' m dumb, but i dont find anything to point me to the right place.. see attached.. I was using other system and it was more clear, but we have that where i am ,so no choice :)

The Classifier column will tell you what module caused the email to be rejected.

I understand. but in that case, it' s a policy match.. but how can I know which policy blocked it!

Yeah... that' s something I don' t see a lot of in the logs... This e-mail must be matching a sender and/or recipient poilicy which then has a AS profile configured with " Apply default action without scan upon policy match" ... default action being " quarantine" Policy IDs 1:1:1 so it' s matching policy #1

FWIW; Those id #1:1:1 means Access-controls #1 ip-policy #1 recipient policy #1 And keep in mind the above matching order is what and how it' s matched.

Thanks emnoc, I' ve always wondered what order those id numbers were in!

TIP If your ever bored and curious, just create new policies that are more specific for let' s say a user sender pattern, Shift the policies around ( move before the more broader policies ) . Send mail that matches the more specific policy and monitor the logs and policy id. You will see the results in your log I exactly that to ensure policies are being matched based on configurations and requirements. You might craft difference policies with different AV/AS features or sessions limits and then uses these in your fortimail. just my 2 cts...