Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sselvam
Staff
Staff

Created on ‎11-04-2020 10:22 PM Edited on ‎09-27-2024 07:51 AM By Community Manager

Article Id 192912

Technical Tip: Firewall policy lookups

Description

 

This article provides a sample of firewall policy lookups.

 

Scope

 

FortiGate.

Solution

 

Policy lookups.

 

  • Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address that matches the source-port and dst-port of the protocol.
  • Use this tool to find out which policy matches specific traffic from a number of policies. After completing the lookup, the matching firewall policy is highlighted on the policy list page.


The Policy Lookup tool has the following requirements:

  • Transparent.
  • When executing the policy lookup, it is necessary to confirm whether the relevant route required for the policy work already exists.

 

Sample Configuration.

This example uses the TCP protocol to show how policy lookup works:

 

  • In Policy & Objects policy list page, select 'Policy Lookup' and enter the traffic parameters.


 
 
  • Select 'Search' to display the policy lookup results.
  
 
For the SSL VPN it is possible to follow the same steps, just pay attention that in the source interface, it is necessary to select the SSL VPN interface, and in the source, and an IP of users that are currently online (Authenticated).
 
In the example below the IP 10.200.1.2 is from an SSL VPN user who is connected to the VPN.
 
sslvpn.JPG


Note: 
From the 7.4 version, the option is changed to 'policy match'.

Alternatively, use the following command to trace specific traffic on which firewall policy it will be matching:

 

diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>

 

Example:

diag firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 udp port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto udp dev port2> matches policy id: 0

diag firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 tcp port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto tcp dev port2> matches policy id: 2

9764
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.