Description
This describes some Basic Commands for Investigating Firewall Policy Based Mode Traffic.
Scope
FortiGate v6.4.x.
Solution
Firewall policy-based mode works differently from profile-based mode (default mode).
Find a basic implementation here and some differences in the policy rule naming:
diagnose debug flow <----- Will show only 'firewall policy' or 'SSL Inspection & Authentication id' on GUI , and NAT if it is in place.
id=20085 trace_id=13 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.3:2->8.8.8.8:2048) from port9. type=8, code=0, id=2, seq=5492 ."
----truncated---
id=20085 trace_id=13 func=__iprope_check_one_policy line=2174 msg="policy-1 is matched, act-accept"
id=20085 trace_id=13 func=fw_forward_handler line=811 msg="Allowed by Policy-2: SNAT"
id=20085 trace_id=13 func=ids_receive line=298 msg="send to ips" --> traffic is sent to ips pme for further process
id=20085 trace_id=13 func=__ip_session_run_tuple line=3519 msg="SNAT 192.168.1.3->10.191.20.160:60467"
id=20085 trace_id=13 func=ipd_post_route_handler line=490 msg="out port2 vwl_zone_id 0, state2 0x4000, quality 0.
diagnose sys session list
session info: proto=1 proto_state=00 duration=27 expire=58 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
---truncated---
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 <----- 'policy id refers to firewall policy'.
serial=000152f5 tos=ff/ff app_list=0 app=24466 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=1 <----- Security policy -- on profile based is always 'ngfwid=n/a'.
npu_state=0x041008
diagnose ips pme debug enable
PME[11593/0] match: app=none url=-1 UNKNOWN
PME[11593/0] matching policy "internet"
PME[11593/0] ...matching apps
PME[11593/0] ...explicit match
PME[11593/0] ...matching actions
PME[11593/0] [EXPLICIT PASS] internet : url=-1
PME[11593/0] ...trigger policy 1 internet
PME[11593/0] [DECISION MADE] PASS view=3 policy=1 features={p:0x104 s:0}
PME[11593/0] policy=1 action=0 log_traffic=0 isdb_src/dst=0/0
PME[11593/0] policy=1 action=0 log_traffic=1 isdb_src/dst=0/0
PME[11594/0] auth query not needed
PME[11594/0] current {
PME[11594/0] SRC intf= 11 tuple=192.168.1.3:57030
PME[11594/0] mac=00:76:6f:6c:34:01
PME[11594/0] DST intf= 4 tuple=8.8.8.8:53
PME[11594/0] mac=00:76:6f:6c:01:09
PME[11594/0] vdom=0 proto=17 time=337536 serial=000775ac
PME[11594/0] user=0 groups-count=0 groups=[]
PME[11594/0] }
PME[11594/0] static for vdom=0 {
PME[11594/0] policy: id=1 "internet" intf={src_ids: { 11 }, dst_ids: { 4 }} flags=d0
PME[11594/0] }
PME[11594/0] policy 1: static match passed
PME[11594/0] session was created
PME[11594/0] PME features: 00000000+00000061-00002306=00000061
PME[11594/0] policies 1 {
01 : 01 internet <----- Refer to security policy.
}
When ngfw-mode is set to policy-based, all the VDOM traffic from the kernel is forwarded to the IPS engine to process whether to allow or block traffic.
Thus in 'config firewall policy', usually there is 1 rule to allow all traffic. This rule will perform the SSL inspection as well if enabled.
The debug is 'diag debug flow...' and it shows kernel processing output, with accepting and forwarding packets to the IPS engine daemon/process.
In the IPS engine processing rules are set in 'config firewall security-policy', so the debug in use here is 'diag ips debug..., diag ips pme...'.
PME is policy matching engine and is used to process nfgw-mode (or security policy) setup.
The decision for pme policy is either final acceptance or denial for each session.
Note:
IPS debug will show a more detailed log than ips pme -- be cautious of using IPS debug in verbose mode, as it will consume many resources.
Example of IPS pme debug command:
diagnose ips filter set "src 172.16.50.102 and dst 10.177.224.111"
diag ips filter status
2023-02-24 11:59:53 DEBUG FILTER:
2023-02-24 11:59:53 debug level: 0
2023-02-24 11:59:53 filter: "src 172.16.50.102 and dst 10.177.224.111"
2023-02-24 11:59:53 process id: 0
diagnose ips pme debug enable
diagnose debug enable
Related article:
