|
Firewall policies created on FortiGate using GUI/CLI contain a numeric ID and every new firewall policy gets a number in ascending order fashion.
The output #diagnose firewall iprope list 100004 displays the Kernel iprope rules that are checked in sequence while processing end-user traffic to allow or deny the session.
#diagnose firewall iprope list 100004
policy index=45 uuid_idx=719 action=accept
flag (8050100): nat master use_src pol_stats
flag2 (1004000): resolve_sso ses-persistent
flag3 (a0): link-local best-route
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 6 -> zone(1): 6
source(1): 0.0.0.0-255.255.255.255, uuid_idx=500,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=500,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] helper:auto
policy index=44uuid_idx=720 action=accept
flag (8050100): nat master use_src pol_stats
flag2 (1004000): resolve_sso ses-persistent
flag3 (a0): link-local best-route
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 41 -> zone(1): 6
source(1): 0.0.0.0-255.255.255.255, uuid_idx=500,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=500,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] helper:auto
policy index=0 uuid_idx=1 action=drop
flag (8010800): d_rm master pol_stats
flag2 (4000): resolve_sso
flag3 (100): last-deny
schedule()
cos_fwd=0 cos_rev=0
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 0 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=0,
service(1):
[0:0x0:0/(0,0)->(0,0)] helper:auto
The 'policy index' value indicates the numeric ID of the firewall policy and the 'uuid_idx' corresponds to the ordered sequence number of the firewall policy. |
