Any firewall policy that is automatically added by the FortiGate unit has a policy ID number of 0.
The following are the most commonly created by the FortiGate unit
The (IPsec) policy for FortiAnalyzer (and FortiManager v3.00) that is automatically added when an IPsec connection to the FortiAnalyzer unit (or FortiManager v 3.00) is enabled has a policy ID number of 0.
The policy to allow FortiGuard servers to be automatically added has a policy ID number of 0.
When loglocaldeny command is enabled (global setting), connection attempt to FortiGate IP addresses (as well as network broadcast address since FortiOS is listening on) not allowed will be dropped with violation and reported by policy ID0 (see sample log above)
When Network Zone is defined within a Vdom, intra-zone traffic being set to Allow or Block will be managed by a policy ID 0, if not previously being processed by a regular policy.
The (default) drop rule that is the last rule in the policy and that is automatically added has a policy ID number of 0.
ipmac binding is enabled on a specific interface. All IP entries not declared in the firewall ipmacbinding table will be rejected by policy ID 0. Refer to Related Articles section below for more information.