This article describes why the policy is not updating the hit and bytes count in a policy-based VPN.
Scope
Policy-based VPN.
Solution
The firewall is configured with a policy-based VPN with the ‘set inbound enable’ command. Below is an example of the configuration:
config firewall policy edit 1 set name "Site-A" set uuid 6646e208-1030-51ef-6c5d-b7df2786104d set srcintf "Internal" set dstintf "Untrust" set action ipsec set srcaddr "DC_Subnet" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all set inbound enable set vpntunnel "Site-A" next end edit "DC_Subnet" set uuid 5879acb0-102f-51ef-669a-b065daedab43 set subnet 10.186.0.0 255.255.240.0 next
Even though, the traffic matches the policy hit counts and byte counts shows does not increase.
Session details show the traffic is originating from the destination side. As the ‘set inbound enable’ is configured the traffic matches the same policy for VPN communication.
session info: proto=1 proto_state=00 duration=47 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/Site-A tun_id=0.0.0.0/10.8.11.129 vlan_cos=0/255 state=log re may_dirty npu f00 statistic(bytes/packets/allow_err): org=58944/48/1 reply=58944/48/1 tuples=2 tx speed(Bps/kbps): 1236/9 rx speed(Bps/kbps): 1236/9 orgin->sink: org pre->post, reply pre->post dev=4->6/6->4 gwy=0.0.0.0/10.8.11.129 hook=pre dir=org act=noop 10.203.15.66:1->10.186.15.68:8(0.0.0.0:0) hook=post dir=reply act=noop 10.186.15.68:1->10.203.15.66:0(0.0.0.0:0) misc=0 policy_id=1 pol_uuid_idx=15747 auth_info=0 chk_client_info=0 vd=0 serial=009e25f2 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x2000100 npu info: flag=0x00/0x82, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000 vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0) npu_state_err=00/04 total session 1
As the traffic is coming to the firewall is the reverse direction to that of the policy the Hit and Byte counts will increase in iprope group 00100003.
Hub # diagnose firewall iprope show 00100003 1 idx:1 pkts:1244 (1244 0 0 0 0 0 0 0) bytes:1527632 (1527632 0 0 0 0 0 0 0) asic_pkts:0 (0 0 0 0 0 0 0 0) asic_bytes:0 (0 0 0 0 0 0 0 0) flag:0x0 hit count:6 (6 0 0 0 0 0 0 0) first hit:2024-07-01 09:33:42 last hit:2024-07-01 09:36:09 Hub # diagnose firewall iprope show 00100003 1 idx:1 pkts:1250 (1250 0 0 0 0 0 0 0) bytes:1535000 (1535000 0 0 0 0 0 0 0) asic_pkts:0 (0 0 0 0 0 0 0 0) asic_bytes:0 (0 0 0 0 0 0 0 0) flag:0x0 hit count:6 (6 0 0 0 0 0 0 0) first hit:2024-07-01 09:33:42 last hit:2024-07-01 09:36:09
The FortiGate GUI does not pull the hit count and bytes information from iprope group 00100003. Due to this the hit count and byte count will not increment in the policy.
The fix for the issue is targetted in v 7.2.10, v7.4.5 and v7.6.1