First check if and how traffic enters the device. Use the filter option.
Make sure traffic offloading to the NP is disabled for the policy in question, (remove this command when done):
config firewall policy edit <policyID> set auto-asic-offload disable
Using the FortiOS packet sniffer
Assgined Internet Protocol numbers
Then check the flow through the firewall and find out the policy id
Find the system session and PolicyID
session info: proto=1 proto_state=00 duration=96 <snip> misc=0 policy_id=3 auth_info=0 chk_client_info=0 vd=0 <snip> total session 2
Then use show firewall policy <id> to list the policy used for the traffic:
FGT60ELexThuis # show firewall policy 3 config firewall policy edit 3 set name "Lex" set uuid d42a3556-cb66-51e7-e20b-6be8577def0b set srcintf "internal" set dstintf "wan1" set srcaddr "Lex zolder" "Laptop Lex" "PC Huiskamer" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set logtraffic all set av-profile "Quick block" set ips-sensor "protect_client" set application-list "block-botnet-monitor" set profile-protocol-options "custom-default" set ssl-ssh-profile "certificate-inspection" set nat enable next end
Hits: 170