FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 230063


The iprope table can be seen as an internal representation of the firewall policies defined by the administrators.


All entries are organized in groups of different functions.

When an entry from a group get matched, no more entries from the group are checked.

Entries in the group are inspected from top to bottom, each entry has different matching criteria based on source/destination IP addresses, ports, and protocol.

If the packet is matching the entry criteria, an action is taken with multiple scenarios, otherwise, the next entry from the group is checked.




# diagnose firewall iprope list 100002 <----- This will list static SNAT policies.

# diagnose firewall iprope list 100000 <----- This will list VIP firewall policies.

# diagnose firewall iprope list 100004 <----- This will list normal firewall policy -- forward policies.


One example is:


Policy Group 00100004

policy index=1 uuid_idx=14 action=accept

flag (8050108): redir nat master use_src pol_stats

flag2 (4000): resolve_sso

flag3 (20): schedule(always)

cos_fwd=255 cos_rev=255

group=00100004 av=00004e20 au=00000000 split=00000000

host=0 chk_client_info=0x0 app_list=0 ips_view=0

misc=0 dd_type=0 dd_mode=0

zone(1): 3 -> zone(1): 6

source(1):, uuid_idx=12,

dest(1):, uuid_idx=13,


[0:0x0:0/(0,65535)->(0,65535)] helper:auto


For each entry, in case of a match there is an action:


- Drop the packet (action= drop).

- Redirect the packet to some processing logic (action= redirect).

- Accept the packet (action= accept).


There are no ‘implicit’ iprope entries unlike the implicit deny firewall policy.

Both entries and groups have identifiers: the group has a group number, and all entries are called policies and have an index.


The following table shows iprope groups sorted by group number.

Default entries may be provided if the group exists with default values with a factory reset configuration. 


● 00000003 [ AUTH_DEFAULT ] All Authentication policies
● 00000005 [ CAPTIVE_PORTAL ] security-mode enabled interfaces
● 00004e20 [ SESS_HELPER ] session helpers 
● 00100001 [ CUST_LOCAL_IN ] custom local-in policies
● 00100002 [ STATIC_SNAT ] Static Nat one-to-one VIP or Pool overload
● 00100003 [ DEC_FWD ] Decrypt Ipsec
● 00100004 [ ENC_FWD ] All Forwarding policies
● 0010000a [ MULTICAST ] Multicast policies
● 0010000c [ EP_REDIR ] Endpoint control policies
● 0010000d [ CENTRAL_NAT ] Policies with central nat
● 0010000e [ IMPLICIT_IN ] All default local_in policies
● 0010000f [ ADMIN_IN ] Administrative traffic allowed based on the interface allows access
● 00100011 [ ZTNA_PROXY ] ZTNA policies