Security Profile inspection Order - webfilter,IPS,DNS filter, Application control, SSL inspection

Question

Dear Expert,I face many issue during the working hours with LAN users. there are multiple security profile applied on the policy. like - Webfilter, DNS Filter, IPS, Application control, SSL inspection.I want to check which security profile first check in case any user try to access let suppose - https://abc.com (URL)I did google multiple time but could'find any better way.Example - USER (A) -- try to access URL - https://abc.comHow Security profile inspection happens. If I have applied - Webfilter, DNS Filter, IPS, Application control, SSL inspectionTroubleshooting steps should be in both way CLI and GUI if possible. I hope response will get soon from expert.

atakannatak · Answer

Hi @Umesh ,

Firstly, I recommend reviewing the following reference article, including the topics listed on the left. It provides a detailed explanation of how packet lifecycle is handled from a FortiGate perspective. From this viewpoint, you’ll notice that in scenarios where a packet matches multiple security profiles at the UTM level, there is no predefined priority order—such as Web Filter being applied before App Control.

https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading

To determine which security profile is triggering the issue, you can analyze the traffic based on source and destination via the Web GUI. This is especially useful because FortiGate typically does not present an error message to the end user when, for example, traffic is blocked due to proxy mode not functioning. When proxy mode is active, the following link shows an example of the error message that an end user receives when their access is blocked by a UTM feature:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-allow-a-website-from-a-blocked/ta-p/278021

Additionally, the following reference article will help you interpret UTM logs in the Web GUI, which is valuable for troubleshooting and identifying which profile is taking action:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-understand-the-UTM-block-logs-under-forward/ta-p/371366

On the CLI side, you’ll need to run a debug flow to capture detailed logs for the related traffic. While application-level debugging can be more convenient in certain scenarios, using a basic flow debug is more appropriate in this case, as we're analyzing traffic at a fundamental level.

Below is a sample syntax for your reference:

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diag debug console timestamp enable
diagnose debug flow trace start 1000
diagnose debug flow filter saddr X.Y.Z.T
diagnose debug flow filter daddr A.B.C.D
diagnose debug enable

NOTE: Make sure to replace X.Y.Z.T and A.B.C.D with the actual source and destination IP addresses. This will help isolate the flow and observe how FortiGate is processing the traffic in real time.

BR.

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

CCIE #68781

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded