I encountered a problem with a firewall blocking traffic even though it was supposed to let traffic through.
This particular policy used nested object grouping (Main group > Sub-group > NetworkAdr-member).
The odd thing was, it seemed to only affect one vDom.
What was happening:
The traffic did not match the configured policy and was dropped by policy 0 (implicit deny).
After diag debug and everything confirmed it was indeed dropped in policy, I finally dived into the object itself on the particular firewall.
There I saw the NetworkAdr-member was not present in the Sub-group object.
Upon closer inspection of the Sub-group object in FortiManager, I noticed the “Per Device Mapping” was turned on. It was within this mapping, the NetworkAdr-member object was missing.
Hopefully this post will fast track the troubleshooting for individuals encountering the similar problems.