# config firewall policyedit 1 <----- Policy ID.set name "Lan to WAN"set uuidset srcintf "port4"set dstintf "port1"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set utm-status enableset inspection-mode flow <----- This is the default setting (default setting are hidden), put here only as example.set ssl-ssh-profile "certificate-inspection"set webfilter-profile "default"set logtraffic allset nat enablenextend
Session capture when the user trying to navigate through browser.
session info: proto=17 proto_state=01 duration=94 expire=86 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=5origin-shaper=reply-shaper=per_ip_shaper=class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255state=log may_dirty ndr <----- ndr flag for flow-based inspection.statistic(bytes/packets/allow_err): org=2015/4/1 reply=10276/11/1 tuples=3tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0orgin->sink: org pre->post, reply pre->post dev=6->3/3->6 gwy=10.191.31.254/172.16.20.2hook=post dir=org act=snat 172.16.20.2:61972->142.250.186.118:443(10.191.19.69:61972)hook=pre dir=reply act=dnat 142.250.186.118:443->10.191.19.69:61972(172.16.20.2:61972)hook=post dir=reply act=noop 142.250.186.118:443->172.16.20.2:61972(0.0.0.0:0)dst_mac=00:09:0f:09:00:13misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 <----- Firewall Policy ID.serial=00000a0e tos=ff/ff app_list=0 app=0 url_cat=0vwl_mbr_seq=0 vwl_service_id=0rpdb_link_id=00000000 ngfwid=n/add_type=0 dd_mode=0npu_state=0x041008
From the debug flow we can see also the message 'send to IPS'.
id=20085 trace_id=2673 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=17, 172.16.20.2:53692->142.250.186.132:443) from port4. "id=20085 trace_id=2673 func=init_ip_session_common line=5792 msg="allocate a new session-0000556b"id=20085 trace_id=2673 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-101.191.31.254 via port1"id=20085 trace_id=2673 func=fw_forward_handler line=777 msg="Allowed by Policy-1: SNAT" <-----Policy IDid=20085 trace_id=2673 func=ids_receive line=290 msg="send to ips" <----- Flow-based inspection.id=20085 trace_id=2673 func=__ip_session_run_tuple line=3398 msg="SNAT 172.16.20.2->101.191.19.66:53692"id=20085 trace_id=2674 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=17, 172.16.20.2:53692->142.250.186.132:443) from port4. "
Firewall policy in proxy based mode.
# config firewall policyedit 1 <----- Policy ID.set name "Lan to WAN"set uuid c4ba7418-863f-51eb-8ae5-630b01f13732set srcintf "port4"set dstintf "port1"set srcaddr "all"set dstaddr "all"set action acceptset schedule "always"set service "ALL"set utm-status enableset inspection-mode proxy <-----set ssl-ssh-profile "certificate-inspection"set webfilter-profile "default"set logtraffic allset nat enablenextend
Session capture when the user trying to navigate through browser.
session info: proto=6 proto_state=11 duration=17 expire=3593 timeout=3600 flags=00000000 sockflag=00000000 sockport=443 av_idx=9 use=6origin-shaper=reply-shaper=per_ip_shaper=class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255state=redir log local may_dirty url_cat_valid <----- redir flag for proxy-based inspection.statistic(bytes/packets/allow_err): org=1812/13/1 reply=21397/20/1 tuples=3tx speed(Bps/kbps): 105/0 rx speed(Bps/kbps): 1251/10orgin->sink: org pre->post, reply pre->post dev=6->3/3->6 gwy=101.191.31.254/172.16.20.2hook=post dir=org act=snat 172.16.20.2:49374->143.204.98.106:443(101.191.19.66:49374)hook=pre dir=reply act=dnat 143.204.98.106:443->101.191.19.66:49374(172.16.20.2:49374)hook=post dir=reply act=noop 143.204.98.106:443->172.16.20.2:49374(0.0.0.0:0)pos/(before,after) 0/(0,0), 0/(0,0)dst_mac=00:09:0f:09:00:13misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 <----- Firewall Policy ID.serial=000007c5 tos=40/40 app_list=0 app=0 url_cat=52vwl_mbr_seq=0 vwl_service_id=0rpdb_link_id=00000000 ngfwid=n/add_type=0 dd_mode=0npu_state=0x040000
From the debug flow we can see also the message 'send to application layer':
id=20085 trace_id=1655 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6, 172.16.20.2: 49374->143.204.98. 106:443) from port4. flag [.], seq 1693220933, ack 2291772406, win 513"id=20085 trace_id=1655 func=resolve_ip_tuple_fast line=5702 msg="Find an existing session, id-00004cb2, original direction"id=20085 trace_id=1655 func=npu_handle_session44 line=1159 msg="Trying to offloading session from port4 to port1, skb.npu_flag=00000400 ses.state=00100306 ses.npu_state=0x00040000"id=20085 trace_id=1655 func=fw_forward_dirty_handler line=399 msg="state=00100306, state2=00008001, npu_state=00040000"id=20085 trace_id=1655 func=av_receive line=306 msg="send to application layer" <----- Proxy-based inspection.id=20085 trace_id=1656 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=17, 172.16.20.2:62890->142.250.184.238:443) from port4. "id=20085 trace_id=1656 func=init_ip_session_common line=5792 msg="allocate a new session-00004d81"id=20085 trace_id=1656 func=vf_ip_route_input_common line=2595 msg="find a route: flag=04000000 gw-101.191.31.254 via port1"id=20085 trace_id=1656 func=fw_forward_handler line=777 msg="Allowed by Policy-1: SNAT" <----- Policy ID.id=20085 trace_id=1656 func=__ip_session_run_tuple line=3398 msg="SNAT 172.16.20.2->101.191.19.66:62890"
Related Articles
Technical Tip: Change in inspection mode - Flow vs Proxy policy option after upgrade to 6.2
Technical Tip: Effects of changing the inspection mode
Technical Tip: Changing the inspection mode of the firewall