Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nml
New Contributor II

find out what policy is going to be followed

Good morning,

I would like to know what to include as dst_port and protocol to find the rule
that allows me to pass the ping in the command:


diag firewall iprope lookup  src_ip  src_port  dst_ip  dst_port  protocol  Source interface


I have tried with "any" and "all_icmp" and it does not give an error but it does not give me the correct policy:


diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 any all_icmp port35


Thank you very much.

1 Solution
ede_pfau
Esteemed Contributor III

you can even shorten that...quirks of a parser:

gate8 # diag firewall iprope lookup 192.168.234.4 0 8.8.8.8 / 1 internal
<src [192.168.234.4-0] dst [8.8.8.8-/] proto 1 dev internal> matches policy id: 56

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

13 REPLIES 13
Debbie_FTNT
Staff
Staff

Hey guys,

 

it took some digging, but I found something:

Debbie_FTNT_0-1648029649321.png

#dia firewall iprope lookup <source IP> 1234 <dst IP> 1/133 icmp <source interface>

-> this returns the correct policy for me.


I couldn't find WHY the iprope lookup command needs to use this exact syntax, I just found an example buried in some old internal documentation, but it does return the correct result at least in my lab (on 7.0); the documentation I found was for a 6.0 setup, so I would assume that any firmware in between should also return a result.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
malam

Hi Guys,

Sometimes GUI failed to perform policy lookup when you select "ICMP ping request/ICMP ping reply" as protocol. Then the below CLI command is very helpful to do Policy lookup.

* > diagnose firewall iprope lookup <source IP> 1234 <dst IP> 1/133 icmp <source. interface>

Mahboob Alam
Toshi_Esumi
Esteemed Contributor II

Based on my a little more exhaustive test,

- In case of "icmp" or protocol "1", destination port area needs to be in "xxx/yyy" format. '/' is necessary.

- for the protocol area you can use either name or number like below examples.

 

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 1234 8.8.8.8 1/13 icmp internal2
<src [10.68.0.103-1234] dst [8.8.8.8-1/13] proto icmp dev internal2> matches policy id: 2

 

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 1234 8.8.8.8 113 icmp internal2
Command fail. Return code -16

 

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 12345 8.8.8.8 0/0 1 internal2
<src [10.68.0.103-12345] dst [8.8.8.8-0/0] proto 1 dev internal2> matches policy id: 2

 

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 12345 8.8.8.8 53 udp internal2
<src [10.68.0.103-12345] dst [8.8.8.8-53] proto udp dev internal2> matches policy id: 2

 

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 55555 8.8.8.8 53 17 internal2
<src [10.68.0.103-55555] dst [8.8.8.8-53] proto 17 dev internal2> matches policy id: 2

 

<edit>

Above test was not enough to prove protocol number is actually working. So added a new policy 26 above policy 2 then tested below to prove it.

 

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 55555 8.8.8.8 53 17 internal2
<src [10.68.0.103-55555] dst [8.8.8.8-53] proto 17 dev internal2> matches policy id: 26

 

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 55555 8.8.8.8 53 udp internal2
<src [10.68.0.103-55555] dst [8.8.8.8-53] proto udp dev internal2> matches policy id: 26

 

Toshi

ede_pfau
Esteemed Contributor III

you can even shorten that...quirks of a parser:

gate8 # diag firewall iprope lookup 192.168.234.4 0 8.8.8.8 / 1 internal
<src [192.168.234.4-0] dst [8.8.8.8-/] proto 1 dev internal> matches policy id: 56

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"