Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Session flags and inspection mode
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes how to trace the inspection mode based on session flags.
Solution
This article describes how to trace the inspection mode based on session flags.
Solution
Session flags indicate the traffic is inspected in flow based mode or proxy based mode.
# Flag ndr means the traffic is inspected in flow based mode. Additionally, message 'Sent to ips’ can appear.
# Flag redir means the traffic is inspected in proxy based mode. Additionally, message 'Sent to application layer' can appear.
Firewall policy in flow based mode.
# config firewall policyedit 1 <----- Policy ID.set name "Lan to WAN"set uuidset srcintf "port4"set dstintf "port1"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set utm-status enableset inspection-mode flow <----- This is the default setting (default setting are hidden), put here only as example.set ssl-ssh-profile "certificate-inspection"set webfilter-profile "default"set logtraffic allset nat enablenextend
Session capture when the user trying to navigate through browser.
session info: proto=17 proto_state=01 duration=94 expire=86 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5origin-shaper=reply-shaper=per_ip_shaper=class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255state=log may_dirty ndr <----- ndr flag for flow-based inspection.statistic(bytes/packets/allow_err): org=2015/4/1 reply=10276/11/1 tuples=3tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0orgin->sink: org pre->post, reply pre->post dev=6->3/3->6 gwy=10.191.31.254/172.16.20.2hook=post dir=org act=snat 172.16.20.2:61972->142.250.186.118:443(10.191.19.69:61972)hook=pre dir=reply act=dnat 142.250.186.118:443->10.191.19.69:61972(172.16.20.2:61972)hook=post dir=reply act=noop 142.250.186.118:443->172.16.20.2:61972(0.0.0.0:0)dst_mac=00:09:0f:09:00:13misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 <----- Firewall Policy ID.serial=00000a0e tos=ff/ff app_list=0 app=0 url_cat=0vwl_mbr_seq=0 vwl_service_id=0rpdb_link_id=00000000 ngfwid=n/add_type=0 dd_mode=0npu_state=0x041008
From the debug flow we can see also the message 'send to IPS'.
id=20085 trace_id=2673 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=17, 172.16.20.2:53692->142.250.186.132:443) from port4. "id=20085 trace_id=2673 func=init_ip_session_common line=5792 msg="allocate a new session-0000556b"id=20085 trace_id=2673 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-101.191.31.254 via port1"id=20085 trace_id=2673 func=fw_forward_handler line=777 msg="Allowed by Policy-1: SNAT" <-----Policy IDid=20085 trace_id=2673 func=ids_receive line=290 msg="send to ips" <----- Flow-based inspection.id=20085 trace_id=2673 func=__ip_session_run_tuple line=3398 msg="SNAT 172.16.20.2->101.191.19.66:53692"id=20085 trace_id=2674 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=17, 172.16.20.2:53692->142.250.186.132:443) from port4. "
Firewall policy in proxy based mode.
# config firewall policyedit 1 <----- Policy ID.set name "Lan to WAN"set uuid c4ba7418-863f-51eb-8ae5-630b01f13732set srcintf "port4"set dstintf "port1"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set utm-status enableset inspection-mode proxy <-----set ssl-ssh-profile "certificate-inspection"set webfilter-profile "default"set logtraffic allset nat enablenextend
Session capture when the user trying to navigate through browser.
session info: proto=6 proto_state=11 duration=17 expire=3593 timeout=3600 flags=00000000 sockflag=00000000 sockport=443 av_idx=9 use=6origin-shaper=reply-shaper=per_ip_shaper=class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255state=redir log local may_dirty url_cat_valid <----- redir flag for proxy-based inspection.statistic(bytes/packets/allow_err): org=1812/13/1 reply=21397/20/1 tuples=3tx speed(Bps/kbps): 105/0 rx speed(Bps/kbps): 1251/10orgin->sink: org pre->post, reply pre->post dev=6->3/3->6 gwy=101.191.31.254/172.16.20.2hook=post dir=org act=snat 172.16.20.2:49374->143.204.98.106:443(101.191.19.66:49374)hook=pre dir=reply act=dnat 143.204.98.106:443->101.191.19.66:49374(172.16.20.2:49374)hook=post dir=reply act=noop 143.204.98.106:443->172.16.20.2:49374(0.0.0.0:0)pos/(before,after) 0/(0,0), 0/(0,0)dst_mac=00:09:0f:09:00:13misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 <----- Firewall Policy ID.serial=000007c5 tos=40/40 app_list=0 app=0 url_cat=52vwl_mbr_seq=0 vwl_service_id=0rpdb_link_id=00000000 ngfwid=n/add_type=0 dd_mode=0npu_state=0x040000
From the debug flow we can see also the message 'send to application layer':
id=20085 trace_id=1655 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6, 172.16.20.2: 49374->143.204.98. 106:443) from port4. flag [.], seq 1693220933, ack 2291772406, win 513"id=20085 trace_id=1655 func=resolve_ip_tuple_fast line=5702 msg="Find an existing session, id-00004cb2, original direction"id=20085 trace_id=1655 func=npu_handle_session44 line=1159 msg="Trying to offloading session from port4 to port1, skb.npu_flag=00000400 ses.state=00100306 ses.npu_state=0x00040000"id=20085 trace_id=1655 func=fw_forward_dirty_handler line=399 msg="state=00100306, state2=00008001, npu_state=00040000"id=20085 trace_id=1655 func=av_receive line=306 msg="send to application layer" <----- Proxy-based inspection.id=20085 trace_id=1656 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=17, 172.16.20.2:62890->142.250.184.238:443) from port4. "id=20085 trace_id=1656 func=init_ip_session_common line=5792 msg="allocate a new session-00004d81"id=20085 trace_id=1656 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-101.191.31.254 via port1"id=20085 trace_id=1656 func=fw_forward_handler line=777 msg="Allowed by Policy-1: SNAT" <----- Policy ID.id=20085 trace_id=1656 func=__ip_session_run_tuple line=3398 msg="SNAT 172.16.20.2->101.191.19.66:62890"
Related Articles
Technical Tip: Change in inspection mode - Flow vs Proxy policy option after upgrade to 6.2
Technical Tip: Effects of changing the inspection mode
Technical Tip: Changing the inspection mode of the firewall
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.