Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cskuan
Staff
Staff

Created on ‎12-20-2019 01:24 AM Edited on ‎01-07-2025 02:18 AM By Moderator

Article Id 195038

Technical Tip: Trace which firewall policy will match based on IP address, ports and protocol

Description


This article describes how to trace which firewall policy will match based on IP address, ports, and protocol and the best route for it to use CLI commands.

 

Scope

 

FortiGate.

Solution


Use the following command to trace specific traffic on which firewall policy it will be matching:

 

diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>

 

Example scenario:

The FortiGate was configured with 2 specific firewall policies as below:

 

show firewall policy
config firewall policy
    edit 1
        set name "clientToServer"
        set uuid 06f1be4a-fb9f-51e9-ef16-dc4000a2a577
        set srcintf "port2"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "VIP1"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "IPPool"
    next
    edit 2
        set name "any-allow"
        set uuid 194f0af0-22f7-51ea-c381-c68f1572bea6
        set srcintf "port2"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL_TCP"
        set nat enable
    next
end


Output of the debug commands:

 

diag firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 udp port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto udp dev port2> matches policy id: 0

diag firewall iprope lookup 10.187.1.100 12345 8.8.8.8 53 tcp port2
<src [10.187.1.100-12345] dst [8.8.8.8-53] proto tcp dev port2> matches policy id: 2


Note that it is possible to trace the different matching of firewall policy with the different protocols.
The first trace traffic hits an implicit deny rule (policy id 0) as firewall policy id 2 will only match traffic with the TCP protocol.

This command makes it possible to easily trace the matching firewall policies even if there are long lists of firewall policies configured.

 

To view the policy based iprope list :

 

diag firewall iprope list | grep -A 14 index=1   --> Here 1 is the policy id that is necessary to search.


FG201F-1 # diag firewall iprope list | grep -A 14 index=1
policy index=1 uuid_idx=1022 action=accept
flag (8050109): log redir nat master use_src pol_stats
flag2 (6000): log_fail resolve_sso
flag3 (a0): link-local best-route
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 7 -> zone(1): 23
source(1): 0.0.0.0-255.255.255.255, uuid_idx=1007,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=1007,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] flags:0 helper:auto

 

Note: When executing the policy lookup, it is necessary to confirm whether the relevant routes are present in the routing table as it will otherwise fail.
Use the command below to trace the best route for  a specific traffic:

 

get router info routing-table details <destination ip address>

 

Example:

 

get router info routing-table details 8.8.8.8
Routing entry for 0.0.0.0/0
  Known via "static", distance 10, metric 0, best
  * 10.47.3.254, via port1

Preview file
2 KB
57444
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.