Description This article describes how to check policy matching for Policy-based operation mode.

Scope

FortiGate.

Solution

In Policy-based mode firewall policy will split into 2 sections.

As policy split into 2 sections, when performing troubleshooting to check traffic is hitting on which policy by using debug flow (refer to FD30038 for detail command) will only able to show it hitting policy define in native policy. To debug on Security Policy which is handle by IPS, we need to use below debug

To start debug.

diagnose ips pme debug enable
diagnose debug enable

To stop debug.

diagnose debug disable
diagnose ips pme debug disable

CLI output of ips pme debug shows matching policy with source and destination IP address. 

 PME[197/0] matching policy "Internet"
 PME[197/0] ...matching apps
 PME[197/0] ...explicit match
 PME[197/0] ...matching actions
 PME[197/0] [EXPLICIT PASS] Internet : url=-1
 PME[197/0] ...trigger policy 1 Internet
 PME[197/0] [DECISION MADE] PASS view=3 policy=1 features={p:0x4 s:0}
 PME[197/0] policy=1 action=0 log_traffic=0 isdb_src/dst=0/0
 PME[198/0] auth query not needed
 PME[198/0] current {
 PME[198/0] SRC intf= 5 tuple=192.168.1.2:56101             ----> Source IP
 PME[198/0] DST intf= 3 tuple=x.x.x.x:443                   ----> Destination IP 
 PME[198/0] vdom=0 vrf=0 proto=6 time=137738 serial=00098f7e
 PME[198/0] user=0 groups-count=0 groups=[]
 PME[198/0] }
 PME[198/0] static {
 PME[198/0] policy: id=1 "Internet" intf={src_ids: { 5 }, dst_ids: { 3 }} flags=180
 PME[198/0] }
 PME[198/0] policy 1: static match passed
 PME[198/0] session was created

Note.
BPF filter for the PME debugs for specific traffic:

diagnose ips filter set "host 10.10.1.1 and port 443"

It is also advised to run these debugs with extra caution preferably during low traffic

Above debugging only requires deeper investigation as to why it not hitting the correct policy, using the session list is able to provide a quick view on which policy it is hitting.

Below example show SSH traffic coming from host 10.101.0.2 to destination 10.56.255.7, as visible highlighted in RED color indicating matching policy for firewall policy 2 (policy_id) and security policy 2 (ngfwid).

session info: proto=6 proto_state=11 duration=3 expire=29 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty nb ndr npu
statistic(bytes/packets/allow_err): org=160/3/1 reply=131/2/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=9->16/16->9 gwy=10.56.243.254/10.101.0.2
hook=post dir=org act=snat 10.101.0.2:50338->10.56.255.7:22(10.56.242.52:50338)
hook=pre dir=reply act=dnat 10.56.255.7:22->10.56.242.52:50338(10.101.0.2:50338)
hook=post dir=reply act=noop 10.56.255.7:22->10.101.0.2:50338(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00001540 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=2
npu_state=0x003c08
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=75/75, ipid=132/146, vlan=0x0000/0x0000
vlifid=132/146, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=10/11
no_ofld_reason:  block-by-ips redir-to-ips

The above session indicates traffic has been dropped by IPS, refer to the last line.