Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎05-12-2023 06:19 AM Edited on ‎10-08-2025 09:45 PM By Community Manager

Article Id 256315

Technical Tip: Basic command for investigating firewall policy based mode traffic

Description

 

This article describes some basic commands for investigating traffic processing in NGFW policy-based mode.

 

Scope

 

FortiGate.

 

Solution

 

FortiOS NGFW policy-based mode works differently from the default profile-based mode. See the article Technical Tip: Implement Basic policy for Policy Based NGFW Mode for a basic implementation and some differences in which configuration sections are required.

 

 

In NGFW policy-based mode, all VDOM traffic is forwarded to the IPS engine to process whether to allow or block traffic. Security processing using flow-based inspection only, ie there is no proxy-based inspection in NGFW policy-based mode.

 

By default, there is one SSL Inspection & Authentication Policy ('config firewall policy'), but others can be added. If deep inspection is required, it is configured in this location. Debug flow commands show details for 'SSL Inspection & Authentication' policy matching and any Source or Destination NAT applied.

 

diagnose debug reset

diagnose debug flow filter addr 192.168.1.3

diagnose debug enable

diagnose debug flow trace start 10
{...}

id=20085 trace_id=13 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.3:2->8.8.8.8:2048) from port9. type=8, code=0, id=2, seq=5492 ."

----truncated---

id=20085 trace_id=13 func=__iprope_check_one_policy line=2174 msg="policy-1 is matched, act-accept"
id=20085 trace_id=13 func=fw_forward_handler line=811 msg="Allowed by Policy-2: SNAT"   
id=20085 trace_id=13 func=ids_receive line=298 msg="send to ips"    <-- traffic is sent to ips pme for further processing.
id=20085 trace_id=13 func=__ip_session_run_tuple line=3519 msg="SNAT 192.168.1.3->10.191.20.160:60467"
id=20085 trace_id=13 func=ipd_post_route_handler line=490 msg="out port2 vwl_zone_id 0, state2 0x4000, quality 0.

 

SSL Inspection.PNG


The session list shows some information relevant to both 'Security Policy' and 'SSL Inspection & Authentication' Policy:

 

diagnose sys session filter src 192.168.1.3

diagnose sys session list

session info: proto=1 proto_state=00 duration=27 expire=58 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
---truncated---
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0    <----- policy_id refers to SSL Inspection & Authentication policy. Should not change over the lifetime of a session.
serial=000152f5 tos=ff/ff app_list=0 app=24466 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=1 <---- security-policy currently used to process the traffic. Can change over the lifetime of a session. In profile-based is always 'ngfwid=n/a'.

npu_state=0x041008

 

Once a session is sent to the IPS engine, it is processed according to 'config firewall security-policy'. Debug commands to observe IPS processing begin with 'diagnose ips debug...' or 'diagnose ips pme...'.

 

PME debug shows Security Policy matching logic:

PME stands for Policy Matching Engine and is used to process nfgw-mode (or security policy) setup. The result of PME processing is either final acceptance or denial for each session.

 

diagnose debug reset

diagnose debug enable

diagnose ips pme debug enable

PME[11593/0] match: app=none url=-1 UNKNOWN
PME[11593/0] matching policy "internet"
PME[11593/0] ...matching apps
PME[11593/0] ...explicit match
PME[11593/0] ...matching actions
PME[11593/0] [EXPLICIT PASS] internet : url=-1
PME[11593/0] ...trigger policy 1 internet
PME[11593/0] [DECISION MADE] PASS view=3 policy=1 features={p:0x104 s:0}
PME[11593/0] policy=1 action=0 log_traffic=0 isdb_src/dst=0/0
PME[11593/0] policy=1 action=0 log_traffic=1 isdb_src/dst=0/0
PME[11594/0] auth query not needed
PME[11594/0] current {
PME[11594/0] SRC intf= 11 tuple=192.168.1.3:57030
PME[11594/0] mac=00:76:6f:6c:34:01
PME[11594/0] DST intf= 4 tuple=8.8.8.8:53
PME[11594/0] mac=00:76:6f:6c:01:09
PME[11594/0] vdom=0 proto=17 time=337536 serial=000775ac
PME[11594/0] user=0 groups-count=0 groups=[]
PME[11594/0] }
PME[11594/0] static for vdom=0 {
PME[11594/0] policy: id=1 "internet" intf={src_ids: { 11 }, dst_ids: { 4 }} flags=d0
PME[11594/0] }
PME[11594/0] policy 1: static match passed
PME[11594/0] session was created
PME[11594/0] PME features: 00000000+00000061-00002306=00000061
PME[11594/0] policies 1 {
01 : 01 internet         <----- Refer to security policy.
}

 

IPS debug shows UTM processing logic:

Even after a session has been accepted by PME, the IPS engine continues to process traffic for the session according to the security profiles on the matching security-policy. After the PME verdict, troubleshooting for NGFW policy-based mode is similar to profile-based with flow-based inspection.

 

Note:

Enabling IPS debug commands will generate many diagnostics in verbose mode, depending on the inspected session count, and can affect network performance by significantly increasing CPU and memory usage, particularly during high traffic periods or when not filtered sufficiently. It is recommended to use caution when enabling the debug.

 

It is highly recommended to use IPS filters in conjunction with debug commands.

diagnose ips filter set '<filter text>'

This filter uses libpcap/BPF arguments and allows filtering on many parameters such as source IP address, destination IP address, and TCP/UDP ports. For more on FortiOS filters, see Troubleshooting Tip: Advanced filters for FortiOS packet capture.

Example 1:

To filter the traffic from source IP 10.10.10.10 and TCP port 443 ;

diagnose ips filter set 'src 10.10.10.10 and tcp port 443'

Verify the filter with the command below:

diagnose ips filter status
DEBUG FILTER:
debug level: 17179868671
filter: "host 10.10.10.10 and tcp port 443"
process id: 0

Example 2:
To filter the traffic from source IP 192.168.10.1 to destination IP 8.8.4.4 and port TCP 443

diagnose ips filter set 'src 192.168.10.1 and dst 8.8.4.4 and tcp port 443'

Verify the filter with the command below:

diagnose ips filter status
DEBUG FILTER:
debug level: 17179868671
filter: "src 192.168.10.1 and dst 8.8.4.4 and tcp port 443"
process id: 0

 

After filtering, individual IPS debug categories must be allowed depending on the function being diagnosed. The following is an example, but other debug categories exist, see the article Troubleshooting Tip: IPS engine new debug commands

 

diagnose ips debug enable ssl
diagnose ips ssl debug info
diagnose ips debug enable log

diagnose ips debug enable dissector
diagnose ips debug enable detect
diagnose ips debug enable session

diagnose debug enable

 

To stop debugging:

 

diagnose debug disable

diagnose ips debug disable all

diagnose ips filter clear

Firewall policy configuration.zip
5278
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.