Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ranga
New Contributor

Verifying Firewall Policies

Hi Guys,

Cisco has "Packet Tracer" tool to verify/Troubleshooting policy issues.Does Fortinet has equivalent tool ? I used Sniffer but in there we have no option to verify policy preview/Simulate using sniffer. 

 

Thanks

3 REPLIES 3
Neophron
New Contributor

there are two ways I use to verify the ACL has been hit. you can:

 

enable "bytes" for throughput and "hitcount" for well, the hitcount. this is GUI stuff.

 

if you want to get more into detail, the packet sniffer on the CLI is the way to go ;

 

diag sniff packet any "host x.x.x.x and host x.x.x.x and port xxx" 4 0 a

 

The last detail in this line is crucial "4 0 a". It lets you see the complete flow in detail and which vdom / vlan is affected.

However the ACL hit won't be named. the combination of the two should satisfy your verification needs.

 

Hope this helps, good luck!

emnoc
Esteemed Contributor III

The bottom line "No". Cisco Packet-Tracer allows you to mimic the traffic-flow and disposition and FortiOS has no function  similar to packet-tracer.

 

But, at best you have a few diagnostic that relies  on "active"  traffic to find the  action

 

( cli-cmds )

diag debug flow

diag sys session 

 

Both of the above allows you to set filters  ( i.e src / dst address, protocol,  etc....)

 

And  then  you counters via the webgui or better yet the cli-cmd;

 

 diag firewall iprope show 100004 < policy-id or IDs >

 

e.g

 

FWCLUSTERCH4EQCHIL (ILSB01) $ diag firewall iprope show 100004 1 2 3 4 5

idx=1 pkts/bytes=49934705/3046442010 asic_pkts/asic_bytes=0/0 flag=0x0

idx=2 pkts/bytes=2078012/126249415 asic_pkts/asic_bytes=0/0 flag=0x0

idx=4 pkts/bytes=3316940/184412199 asic_pkts/asic_bytes=0/0 flag=0x0

idx=5 pkts/bytes=142843/8416017 asic_pkts/asic_bytes=0/0 flag=0x0

 

you might these  above methods from the cli are much quick and easier than the  WebGUI imho

 

Ken

 

PCNSE 

NSE 

StrongSwan  

Ranga
New Contributor

Thanks guys !