FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vdralio
Staff
Staff
Description
This article describes how to trace the inspection mode based on session flags.

Solution
Session flags indicate the traffic is inspected in flow based mode or proxy based mode.

# Flag ndr means the traffic is inspected in flow based mode. Additionally, message 'Sent to ips’ can appear.

# Flag redir means the traffic is inspected in proxy based mode. Additionally, message 'Sent to application layer' can appear.

Firewall policy in flow based mode.

# config firewall policy
    edit 1                                  <----- Policy ID.
        set name "Lan to WAN"
        set uuid
        set srcintf "port4"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode flow             <----- This is the default setting (default setting are hidden), put here only as example.
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "default"
        set logtraffic all
        set nat enable
    next
end

Session capture when the user trying to navigate through browser.

session info: proto=17 proto_state=01 duration=94 expire=86 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log may_dirty ndr                                                                  <----- ndr flag for flow-based inspection.
statistic(bytes/packets/allow_err): org=2015/4/1 reply=10276/11/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=6->3/3->6 gwy=10.191.31.254/172.16.20.2
hook=post dir=org act=snat 172.16.20.2:61972->142.250.186.118:443(10.191.19.69:61972)
hook=pre dir=reply act=dnat 142.250.186.118:443->10.191.19.69:61972(172.16.20.2:61972)
hook=post dir=reply act=noop 142.250.186.118:443->172.16.20.2:61972(0.0.0.0:0)
dst_mac=00:09:0f:09:00:13
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0                                     <----- Firewall Policy ID.
serial=00000a0e tos=ff/ff app_list=0 app=0 url_cat=0
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x041008

From the debug flow we can see also the message 'send to IPS'.

id=20085 trace_id=2673 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=17, 172.16.20.2:53692->142.250.186.132:443) from port4. "
id=20085 trace_id=2673 func=init_ip_session_common line=5792 msg="allocate a new session-0000556b"
id=20085 trace_id=2673 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-101.191.31.254 via port1"
id=20085 trace_id=2673 func=fw_forward_handler line=777 msg="Allowed by Policy-1: SNAT"    <-----Policy ID
id=20085 trace_id=2673 func=ids_receive line=290 msg="send to ips"                         <----- Flow-based inspection.
id=20085 trace_id=2673 func=__ip_session_run_tuple line=3398 msg="SNAT 172.16.20.2->101.191.19.66:53692"
id=20085 trace_id=2674 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=17, 172.16.20.2:53692->142.250.186.132:443) from port4. "


Firewall policy in proxy based mode.

# config firewall policy
    edit 1                         <----- Policy ID.
        set name "Lan to WAN"
        set uuid c4ba7418-863f-51eb-8ae5-630b01f13732
        set srcintf "port4"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy   <----- 
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "default"
        set logtraffic all
        set nat enable
    next
end

Session capture when the user trying to navigate through browser.

session info: proto=6 proto_state=11 duration=17 expire=3593 timeout=3600 flags=00000000 sockflag=00000000 sockport=443 av_idx=9 use=6
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=redir log local may_dirty  url_cat_valid                       <----- redir flag for proxy-based inspection.
statistic(bytes/packets/allow_err): org=1812/13/1 reply=21397/20/1 tuples=3
tx speed(Bps/kbps): 105/0 rx speed(Bps/kbps): 1251/10
orgin->sink: org pre->post, reply pre->post dev=6->3/3->6 gwy=101.191.31.254/172.16.20.2
hook=post dir=org act=snat 172.16.20.2:49374->143.204.98.106:443(101.191.19.66:49374)
hook=pre dir=reply act=dnat 143.204.98.106:443->101.191.19.66:49374(172.16.20.2:49374)
hook=post dir=reply act=noop 143.204.98.106:443->172.16.20.2:49374(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
dst_mac=00:09:0f:09:00:13
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0                <-----  Firewall Policy ID.
serial=000007c5 tos=40/40 app_list=0 app=0 url_cat=52
vwl_mbr_seq=0 vwl_service_id=0
rpdb_link_id=00000000 ngfwid=n/a
dd_type=0 dd_mode=0
npu_state=0x040000

From the debug flow we can see also the message 'send to application layer': 

id=20085 trace_id=1655 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6, 172.16.20.2: 49374->143.204.98. 106:443) from port4. flag [.], seq 1693220933, ack 2291772406, win 513"
id=20085 trace_id=1655 func=resolve_ip_tuple_fast line=5702 msg="Find an existing session, id-00004cb2, original direction"
id=20085 trace_id=1655 func=npu_handle_session44 line=1159 msg="Trying to offloading session from port4 to port1, skb.npu_flag=00000400 ses.state=00100306 ses.npu_state=0x00040000"
id=20085 trace_id=1655 func=fw_forward_dirty_handler line=399 msg="state=00100306, state2=00008001, npu_state=00040000"
id=20085 trace_id=1655 func=av_receive line=306 msg="send to application layer"                                                                     <-----  Proxy-based inspection.
id=20085 trace_id=1656 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=17, 172.16.20.2:62890->142.250.184.238:443) from port4. "
id=20085 trace_id=1656 func=init_ip_session_common line=5792 msg="allocate a new session-00004d81"
id=20085 trace_id=1656 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-101.191.31.254 via port1"
id=20085 trace_id=1656 func=fw_forward_handler line=777 msg="Allowed by Policy-1: SNAT"                                                             <----- Policy ID.
id=20085 trace_id=1656 func=__ip_session_run_tuple line=3398 msg="SNAT 172.16.20.2->101.191.19.66:62890"


Related Articles

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...

Technical Tip: Change in inspection mode - Flow vs Proxy policy option after upgrade to 6.2

Technical Tip: Effects of changing the inspection mode

Technical Tip: Changing the inspection mode of the firewall

Technical Tip: 'Dirty' session

Troubleshooting Tip: FortiGate session table information

Contributors