FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rahulkaushik-22
Article Id 336836
Description This article describes how to find policy ID when logging is disabled on the policy.
Scope All.
Solution

There are many ways to find policy IDs for traffic on FortiGate.

 

Method 1: Policy match in the webUI and CLI.

 

Refer to the article: Update policy lookup tool with policy match tool 7.4.1

 

Method 2: dia de flow commands.

 

Run these commands first then generate the traffic.

 

Follow the article: Debugging the packet flow.

 

Example:

Topology below:

 

Client (10.10.10.2)---------------(10.10.10.1)FGT----------------------Internet.


Ping traffic from the user to the DNS server (8.8.8.8):

 

FortiGate-80E # dia de flow filter addr 10.10.10.2

FortiGate-80E # dia de flow trace start 10

FortiGate-80E # dia de en

 

id=65308 trace_id=4 func=print_pkt_detail line=5886 msg="vd-root:0 received a packet(proto=1, 10.10.10.2:1->8.8.8.8:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=6."

id=65308 trace_id=4 func=init_ip_session_common line=6063 msg="allocate a new session-011766e2"

id=65308 trace_id=4 func=vf_ip_route_input_common line=2613 msg="find a route: flag=04000000 gw-10.9.15.254 via wan1"

id=65308 trace_id=4 func=__iprope_tree_check line=539 msg="gnum-100004, use addr/intf hash, len=2"

id=65308 trace_id=4 func=get_new_addr line=1269 msg="find SNAT: IP-10.9.0.240(from IPPOOL), port-60418"

id=65308 trace_id=4 func=fw_forward_handler line=991 msg="Allowed by Policy-1: SNAT" ß------ Policy ID 1

id=65308 trace_id=4 func=__ip_session_run_tuple line=3433 msg="SNAT 10.10.10.2->10.9.0.240:60418"

 

Method 3: Session list.

Follow the article: Troubleshooting Tip: FortiGate session table information

 

FortiGate-80E # dia sys session filter src 10.10.10.2

FortiGate-80E # dia sys session filter dst 8.8.8.8

FortiGate-80E # dia sys session list

 

 

session info: proto=1 proto_state=00 duration=33 expire=27 timeout=0 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3

origin-shaper=

reply-shaper=

per_ip_shaper=

class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255

state=may_dirty npu

statistic(bytes/packets/allow_err): org=120/2/1 reply=120/2/1 tuples=2

tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0

orgin->sink: org pre->post, reply pre->post dev=28->5/5->28 gwy=10.9.15.254/10.10.10.2

hook=post dir=org act=snat 10.10.10.2:1->8.8.8.8:8(10.9.0.240:60418)

hook=pre dir=reply act=dnat 8.8.8.8:60418->10.9.0.240:0(10.10.10.2:1)

misc=0 policy_id=1 pol_uuid_idx=647 auth_info=0 chk_client_info=0 vd=0

serial=01181f40 tos=ff/ff app_list=0 app=0 url_cat=0

rpdb_link_id=00000000 ngfwid=n/a

npu_state=0x000c00 ofld-O ofld-R

npu info: flag=0x81/0x81, offload=8/8, ips_offload=0/0, epid=64/82, ipid=82/64, vlan=0x0000/0x0000

vlifid=82/64, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=3/2, ha_divert=0/0

 

policy_ID field tells the policy number traffic hits.