Description
This article provides the iPrope table as an internal representation of the firewall policies defined by the administrators.
Scope
FortiGate.
Solution
All entries are organized in groups of different functions. When an entry from a group get matched, no more entries from the group are checked.
Entries in the group are inspected from top to bottom, each entry has different matching criteria based on source/destination IP addresses, ports, and protocol. If the packet is matching the entry criteria, an action is taken with multiple scenarios, otherwise, the next entry from the group is checked.
Example:
diagnose firewall iprope list 100002 <----- This will list static SNAT policies.
diagnose firewall iprope list 100000 <----- This will list VIP firewall policies.
diagnose firewall iprope list 100004 <----- This will list normal firewall policy -- forward policies.
diagnose firewall iprope list 10000e <----- This will list all implicit policies as listed in GUI.
diagnose firewall iprope list 100015 <----- This will list all Traffic Shaping policies as listed in GUI.
One example is:
Policy Group 00100004
policy index=1 uuid_idx=14 action=accept
flag (8050108): redir nat master use_src pol_stats
flag2 (4000): resolve_sso
flag3 (20): schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 3 -> zone(1): 6
source(1): 10.0.1.0-10.0.1.255, uuid_idx=12,
dest(1): 192.0.2.0-192.0.2.255, uuid_idx=13,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] helper:auto
For each entry, in case of a match there is an action:
- Drop the packet (action= drop).
- Redirect the packet to some processing logic (action= redirect).
- Accept the packet (action= accept).
There are no ‘implicit’ iprope entries unlike the implicit deny firewall policy.
Both entries and groups have identifiers: the group has a group number, and all entries are called policies and have an index.
The following table shows iprope groups sorted by group number.
Default entries may be provided if the group exists with default values with a factory reset configuration.
● 00000003 [ AUTH_DEFAULT ] | All Authentication policies |
● 00000005 [ CAPTIVE_PORTAL ] | security-mode enabled interfaces |
● 00004e20 [ SESS_HELPER ] | session helpers |
● 00100001 [ CUST_LOCAL_IN ] | custom local-in policies |
● 00100002 [ STATIC_SNAT ] | Static Nat one-to-one VIP or Pool overload |
● 00100003 [ DEC_FWD ] | Decrypt Ipsec |
● 00100004 [ ENC_FWD ] | All Forwarding policies |
● 0010000a [ MULTICAST ] | Multicast policies |
● 0010000c [ EP_REDIR ] | Endpoint control policies |
● 0010000d [ CENTRAL_NAT ] | Policies with central nat |
● 0010000e [ IMPLICIT_IN ] | All default local_in policies |
● 0010000f [ ADMIN_IN ] | Administrative traffic allowed based on the interface allows access |
● 00100011 [ ZTNA_PROXY ] |
ZTNA policies |
● 00100015 [ TRAFFIC_SHAPING ] |
Traffic Shaping policies |
● 0010000d [ CENTRAL_NAT] |
Firewall policies with central NAT |