Skip to main content
boneyard
boneyard
Valued Contributor
January 6, 2017
Question

is it possible to better debug / determine policy choice?

  • January 6, 2017
  • 1 reply
  • 9767 views

had an issue recently where the choice of a policy made totally no sense for certain traffic.

 

i use diagnose debug flow and see pretty much no other useful information the the choice of policy ID.

 

is there something else i can do? it would be great if there is some extra option to actually list why the fortigate feels that traffic matches a certain policy.

1 reply

emnoc
emnoc
New Member
January 7, 2017

Nope, the diag debug flow is the best thing for the fortigate fwpolicy-id diagnostic. It will show you what was matched, policyid,  route lookup, SNAT/DNAT, any other utm actions,etc......

 

It's probably the best thing out on the market outside the  checkpoint fw cmd  or cisoc asa packet-tracer.

 

So what problem are you actually seeing or the expect behavior?

 

 

 

boneyard
boneyardAuthor
Valued Contributor
January 7, 2017

in this case it was DNS traffic from an unauthenticated source hitting a policy with group authentication (FSSO) and being allowed there, it took me a while to remember this is default behaviour.

 

anyone have a good public source for this btw? i can only find it in the NSE4 training material. the authentication admin guide only states you need to setup a separate DNS allow policy before any authentication policies.

 

so when i first noticed it i started investigating the fact if the IP wasn't somehow authenticated, why did the fortitgate believe it belonged to that group? diag debug flow is helpful in pointing out results, but not why they are made. i would love to see something that compares the packet to the policy and comes out with source: match, destination: match, authentication group: failed, but DNS so match.

 

would have saved quite some searching and having doubts about FSSO working correctly again.

 

and that is just one example, had something similar in the past where the policy choice didn't make sense until i noticed the service config was messed up. again if diag debug flow had shown a match on the service i would have been able to focus on that much quicker.

 

anyway, in the end both were solved, but i had hoped for a hidden extra flag

MikePruett
MikePruett
New Member
January 7, 2017

I think it is just one of those uniquely Fortinet things for "this is just how it works" lol.

 

I pulled my hair out a good bit on a deployment before I realized it.

Terms & ConditionsAccessibility statement