|
Same as FortiOS, FortiProxy redirects traffic to the Wad process; however, there is no option as 'iprope' as in FortiOS nor a flow trace on FortiProxy.
However, FortiProxy uses the IPtables function, these tables contain sets of rules, called chains, that will filter incoming and outgoing data packets.
To see the IPtables on the FortiProxy, execute the following command on the CLI:
FortiProxy-VM02 # diagnose iptables list
For example:
FortiProxy-VM02 # diagnose iptables list
Chain INPUT (policy DROP 446 packets, 35405 bytes)
pkts bytes target prot opt in out source destination
121 17154 ACCEPT all -- any any anywhere anywhere mark match 0x1/0x1
12044 9777K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
465 29359 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- tun-mgmt any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere multiport dports 541,7810,7802
0 0 ACCEPT tcp -- any any anywhere 127.0.0.1 tcp dpt:8000
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:8013
1 52 ACCEPT tcp -- port1 any anywhere 192.168.170.9 multiport dports 80,443,22
0 0 ACCEPT icmp -- port1 any anywhere 192.168.170.9 icmp echo-request
0 0 ACCEPT udp -- port2 any anywhere anywhere multiport dports 2048
0 0 ACCEPT 47 -- port2 any anywhere anywhere
0 0 ACCEPT icmp -- port2 any anywhere 192.168.90.4 icmp echo-request
0 0 ACCEPT icmp -- port3 any anywhere 192.168.30.12 icmp echo-request
0 0 ACCEPT tcp -- port4 any anywhere 192.168.13.99 multiport dports 80,443,22
0 0 ACCEPT icmp -- port4 any anywhere 192.168.13.99 icmp echo-request
...
0 0 ACCEPT tcp -- ssl.root any anywhere 192.168.170.9 multiport dports 80,443,22
0 0 ACCEPT icmp -- ssl.root any anywhere 192.168.170.9 icmp echo-request
0 0 ACCEPT icmp -- ssl.root any anywhere 192.168.90.4 icmp echo-request
0 0 ACCEPT icmp -- ssl.root any anywhere 192.168.30.12 icmp echo-request
0 0 ACCEPT tcp -- ssl.root any anywhere 192.168.13.99 multiport dports 80,443,22
0 0 ACCEPT icmp -- ssl.root any anywhere 192.168.13.99 icmp echo-request
There is also the following option for IPtables on FortiProxy:
FortiProxy-VM02 # diagnose iptables
list list iptables
list6 list ip6tables
dry-run dump iptables rule
refresh refresh iptables
shaper refresh shaper profile
shaper-stats print shaper stats
shaper-stats-gui print GUI shaper stats
In FortiProxy, the iptables are organized in "chains" which is similar to any other Linux system. A chain is a set of rules that define how packets should be handled as they traverse different stages of processing in the Linux kernel.
#diagnose iptables list
Chain INPUT (policy DROP 375 packets, 23751 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere mark match 0x1/0x1
2073 717K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2274 packets, 692K bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 2254K packets, 3592M bytes)
pkts bytes target prot opt in out source
Below is a brief description of the main chains:
- INPUT: Handles packets destined for the FortiProxy device itself (e.g., GUI, ping).
- FORWARD: Handles packets passing through FortiProxy (routed/proxied traffic).
- OUTPUT: Handles packets generated by FortiProxy and going out.
- PREROUTING: Alters packets before routing decisions (used in NAT, marking).
- POSTROUTING: Alters packets after routing, just before they leave the system.
|
