check matched Policy on CLI

Kaplan · ‎03-04-2022

Dear people,

I will check the Policy on policy Based FG100.

I started a ping

I filtered the Sessions for dst IP, but I could not see there which policy are hitted.

Is there any way on CLI to see the matched Policy live?

Toshi_Esumi · ‎03-04-2022

There is a KB.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Trace-which-firewall-policy-will-match-bas...

Toshi

Debbie_FTNT · ‎03-07-2022

Hey Kaplan,

in addition to the link Toshi shared, you can also do something like this via CLI:
#dia sys session filter src <IP>
#dia sys session filter dst <IP>
#dia sys session proto 1 <--- icmp 6=tcp, 17=udp
#dia sys session list | grep policy
-> this will dump just the policy line from the individual sessions, so you can see which policy IDs are matched

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Kaplan · ‎03-08-2022

Dear Debbi,

thanx for your Information

Session Filter on Profile Based Policys: I can compare with my policys. Everything ist OK
class_id=0 ha_id=0 policy_dir=0 tunnel=Int_Line-VPN-Z/ helper=dns-udp vlan_cos=0/255
misc=0 policy_id=6 auth_info=0 chk_client_info=0 vd=0

Session Filter on Policy Based Policys: Its on every Filter the policy_id=1.
Thats can not be! The question ist, do I see here the Security Policys or the Central SNAT policys, (The ID 1 of Central SNAT Policys can be.)

class_id=0 ha_id=0 policy_dir=0 tunnel=VPN_GK_Aldenhov/ vlan_cos=0/0
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0

Other FW with Policy Based
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=60 time=9.4 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=60 time=8.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=60 time=120.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=60 time=9.0 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=60 time=44.8 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 8.9/38.4/120.1 ms

SLG-FG-60F-CLA # dia sys session list | grep policy
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0

Policy ID ist 0 is implicit deny all, so it can not be, because I can ping out from FW console

On policy based I can not compare the session list with policys

Thanx again.

Debbie_FTNT · ‎03-08-2022

Hey Kaplan,

sorry, I didn't take the policy-based bit into consideration.

Regarding the policy ID 0 bit:
Yes, implicit deny is policy ID 0. But any local traffic (originating/terminating on the FortiGate) is also associated with policy ID 0 even when the traffic is not denied. In this case, for a ping originating on the FortiGate itself, it is expected to see policy ID 0 in the session.

Regarding policy ID 1 on every session:

-> the policy ID should be the consolidated policy, I believe, not the security policy

-> I'm not certain if you can find the security policy information in the session list, I haven't worked very much with policy-mode FortiGates

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

DPadula · ‎06-15-2022

Not sure which FortiOS version was used but on 7.0.x the word filter is necessary before proto.