Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff & Editor
Staff & Editor

Created on ‎05-09-2020 01:57 AM Edited on ‎10-26-2025 11:55 PM By Staff

Article Id 195435

Technical Tip: How to check the policy ID of pass-through traffic

Description

 

This article describes the GUI and CLI command used to perform a policy lookup of pass-through traffic.

 

Scope

 

FortiGate.

Solution

 

The policy lookup can be done via GUI or via CLI as shown below 

 

GUI:

To check policy lookup from GUI navigate to Policy & Objects -> Firewall Policy and select Policy Match

 

kb 30.1.PNG

 

This will open the Policy Match Tool and select the options as needed for the flow to check the policy this flow could be using.

 

kb 30.3.PNG

 

 

CLI:

To check the policy using CLI ,use the syntax of the policy lookup command is as follows:

 

diagnose firewall iprope lookup <src ip> <src port> <dst ip> <dst port> <protocol> <Incoming_interface>

 

For example, to check the DNS traffic from source 172.31.192.56 to 8.8.8.8, the command is as follows:

 

diagnose firewall iprope lookup 172.31.192.56 0 8.8.8.8 53 17 port3
<src [172.31.192.56-0] dst [8.8.8.8-53] proto 17 dev port3> matches policy id: 1

 

To check the HTTPS traffic from source 172.31.192.56 to 208.91.113.45, the command is as follows:

 

diagnose firewall iprope lookup 172.31.192.56 0 208.91.113.45 443 6 port3
<src [172.31.192.56-0] dst [208.91.113.45-443] proto 6 dev port3> matches policy id: 1

 

The protocol ID for TCP is 6, and the ID for UDP is 17.

 

Iprope lookup for ICMP.

The command to check the ICMP traffic from source 10.12.244.210 to 208.91.113.45 is as follows:

 

diagnose firewall iprope lookup 10.12.244.210 0 208.91.113.45 0 1/ Root_to_GI1
<src [10.12.244.210-0] dst [1.1.1.1-0] proto 1/ dev Root_to_GI1> matches policy id: 1

 

Below is the output when there is no policy matched for ICMP from source 10.12.244.210 to destination 208.91.113.45:


diagnose firewall iprope lookup 10.12.244.210 0 208.91.113.45 0 1/ port1
<src [1.1.1.1-222] dst [2.2.2.2-2222] proto 1/ dev port1> matches policy id: 0

 

Note:

When executing the policy lookup, it is necessary to confirm whether the relevant routes are present in the routing table, as it will otherwise fail.


Iprope lookup for policy with user/group.

The above syntax will not match if a policy has users or user groups configured as the source.
If a policy with users has to be checked, the syntax will be:

 

diagnose firewall iprope lookup <src ip> <src port> <dst ip> <dst port> <protocol> <Incoming_interface> <pol_type> [<auth-type>] [<user/group>] [<server>]

 

For example, looking for a policy without a user, it will match policy 0 (implicit deny):

 

diagnose firewall iprope lookup 172.31.192.56 0 8.8.8.8 53 17 port3
<src [10.135.18.1-12345] dst [8.8.8.8-53] proto 17 dev port3> matches policy id: 0

 

However, looking for a policy with a user will find a matching policy (policy 7 in this case, with action accept, and 'test-username' is a local user, so no authentication server has been specified below):

 

diagnose firewall iprope lookup 172.31.192.56 0 8.8.8.8 53 17 port3 policy user test-username
firewall policy id: 7
firewall proxy-policy id: 0
matched policy_type: policy
policy_action: accept

19762
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.