Technical Tip: Firewall policy lookups
Description
This article provides a sample of firewall policy lookups.
Scope
FortiGate.
Solution
Policy lookups.
- Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address that matches the source-port and dst-port of the protocol.
- Use this tool to find out which policy matches specific traffic from several policies. After completing the lookup, the matching firewall policy is highlighted on the policy list page.
The Policy Lookup tool has the following requirements:
- When executing the policy lookup, it is necessary to confirm whether the relevant route required for the policy to work already exists.
- Source Interface or Incoming Interface is a mandatory filed, to find out the correct source interface, use the following command
get router info routing-table details <source IP>
Example:
FortiGate# get router info routing-table details 192.168.10.2
Routing table for VRF=0
Routing entry for 192.168.10.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port5 <-- Source Interface.
Sample configuration.
This example uses the TCP protocol to show how policy lookup works:
- In the Policy & Objects policy list page, select 'Policy Lookup' and enter the traffic parameters.
- Select 'Search' to display the policy lookup results.
Note:
From version 7.4, the option has changed to 'policy match'.
Alternatively, use the following command to trace specific traffic on which firewall policy it will match:
diagnose firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>
Example:
diagnose firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 udp port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto udp dev port2> matches policy id: 0
diagnose firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 tcp port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto tcp dev port2> matches policy id: 2
The above commands can also be run using the protocol number assigned by IANA.
diagnose firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 17 port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto udp dev port2> matches policy id: 0
diagnose firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 6 port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto tcp dev port2> matches policy id: 2
The diagnose firewall iprope lookup command has been updated to specify additional parameters, including policy type (policy or proxy), and a new parameter for identity-based policy matching.
The policy match feature will be activated if more than six parameters are specified in the existing diagnose command:
diagnose firewall iprope lookup <source_ip> <source_port> <destination_ip> <destination_port> <protocol> <device> <policy_type> [<auth_type>] [<user/group>] [<server>]
Note:
On entry-level FortiGates, the Policy lookup tool is renamed to Policy match. The web filter action tracing and user matching functionalities are not available, and the diagnose firewall iprope lookup can only be used for basic policy lookups.
The 'diagnose firewall iprope lookup command' may not be effective against firewall policies where authentication is enabled. Because the command does not have the user/usergroup parameter, the lookup results will not hit the intended firewall policy.
Also, when using diagnose firewall iprope lookup, ensure that the appropriate VRF (Virtual Routing and Forwarding) is selected if multiple virtual routing tables are in use, as the lookup may yield incorrect results if the traffic is routed via a different VRF.
Policy match tool in the GUI: Update policy lookup tool with policy match tool v7.4.1.
The protocol number list can be found in the following document: