Hello!
Can you explain why a deny happend on this log? The address is release in the rule, but it was blocked anyway, just a single time. 
date=2025-08-28 time=10:08:20 id=7543622580939259925 itime=2025-08-28 10:08:21 euid=3 epid=6003 dsteuid=3 dstepid=101 logflag=3 logver=704082795 sfsid=0 type=traffic subtype=forward level=notice action=deny policyid=52 sessionid=147382898 srcip=172.30.171.217 dstip=138.59.163.69 srcport=42401 dstport=443 trandisp=noop duration=44 proto=6 sentbyte=180 rcvdbyte=0 sentpkt=3 rcvdpkt=0 logid=0000000013 service=HTTPS app=HTTPS appcat=unscanned srcintfrole=lan dstintfrole=wan srcserver=0 policytype=policy eventtime=1756386501043559039 crscore=30 craction=131072 crlevel=high srcuuid=498de162-e8a6-51ef-6775-922ed917fc34 dstuuid=5d5a000e-f37d-51ef-1ff6-866a1aaf3cde poluuid=f050e110-e89d-51ef-5c4c-a43178bb4c78 srcmac=56:84:20:f4:60:02 mastersrcmac=56:84:20:f4:60:02 srccountry=Reserved dstcountry=Brazil srcintf=lan dstintf=wan2 policyname=Boleto_digital threatwgts=30 threatcnts=1 threatlvls=3 threats=blocked-connection threattyps=blocked-connection tz=-0300 vd=root csf=UNF_SEC_FABRIC dtime=2025-08-28 10:08:20 itime_t=1756386501 devname=FGT100F_ALF srcuuid_name=SAP Server dstuuid_name=Boleto Digital - Itau
Solved! Go to Solution.
Try debug the flow to see what is blocking the traffic.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Debug-flow-tool/ta-p/213238
It appears you have most things covered. One additional thing that might be a good idea is to create an app-filter for high risk score apps and app categories and use the filter for an app block rule. Using an app filter can be useful, because it scales automatically as new app-ids are created, if they fall into the right criteria, they'll automatically get added to that app filter.
Are you using security profiles in the related rule? Did your check the related UTM logs?
Yes, I do, but my security profile is just monitoring it. I'm using web filter just to see the URLs that are being accessed and couldn't find the web filter log for this deny event, so probably it was blocked before the rating.
Try debug the flow to see what is blocking the traffic.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Debug-flow-tool/ta-p/213238
Sorry for the delayed anwser. I debuged the flow and I found some few sessions falling into a sdwan general route instead of the policy route. So the traffic was denied due to the wrong outgoing interface. It was a strange behavior, the policy route rule was correct, so I created an SDWAN rule to ensure traffic always goes to the correct interface. It's working fine now, but I couldn't figure out why it went to the SDWAN rule.
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.