I seem to have run into this bug with our analyser and would like to know whether other people have also noticed this. In our logging almost a week ago i found that SIP-A wasnt reaching DIP-B so i created a policy which (youve guessed it) would allow for said communications which it consequently did... Today after i sat down at my desk i wanted to go over the old logging which showed SIP-A>DIP-B blocking in order to get timeline right. However to my surprise i noticed that the forti analyser showed the traffic as allowed. Even though it was 100% blocked on the dates it now showes as allowed (i have the screenshots from when it was blocked). 

The only way for me to know that traffic was even blocked is going by that screenshot and some other small details. However, if somebody else but me were to analyse those logs (from when it was blocked) they wouldnt get the clue to what was wrong prior to me creating the policy.

Id reckon that this would defeat the purpose of keeping logs, anyway Please let me know if something needs to change on our end with regards to loggin. I just cant imagine this should be the case.