Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JimBo
New Contributor II

Created on ‎07-23-2023 06:01 PM

How to reveal the security policy that denied/permitted packets?

Hi folks!!

 

My Fortigate fw 40F OS 6.4.10 running in NGFW mode Policy-based.

 

OBJECT:

Display packets being denied/permitted by the Fortigate firewall policy; and reveal which policy denied or permitted the packets

Fortigate fw running in Policy-based mode does not support the GUI policy lookup option.

 

What has been performed to reveal this data:

I have specifically enabled 2 test policies Internet-22 and Internet-69 to block packets from reaching Google DNS (test subject) via port 22 or 69.

 

OPTION-1:

If I use the diag sniffer packet any ‘host 192.168.0.101 and tcp port 22’ 1 0 l, I see the packets but cannot determine if any Fortigate fw policy is blocking the packets and

communications still fail. Note: I understand Google is not allowing tcp communications on port 22, this is just a test case.

 

OPTION-2

If I use the diag debug capture option it appears packets are being allowed to reach google as

shown by id=20085 trace_id=92 func=fw_forward_handler line=811 msg="Allowed by Policy-1: SNAT".

 

OPTION-3

?

 

I must be doing something wrong or just don’t understand how to read the output, can anyone provide guidance?

Thank you.

Jimmy

 

 

 

Test-lab # diagnose sniffer packet any 'host 192.168.0.101 and tcp port 22' 1 0 l

interfaces=[any]

filters=[host 192.168.0.101 and tcp port 22]

2023-07-23 19:42:05.006311 192.168.0.101.7245 -> 8.8.8.8.22: syn 1681993287

2023-07-23 19:42:06.019218 192.168.0.101.7245 -> 8.8.8.8.22: syn 1681993287

2023-07-23 19:42:08.023414 192.168.0.101.7245 -> 8.8.8.8.22: syn 1681993287

2023-07-23 19:42:12.024036 192.168.0.101.7245 -> 8.8.8.8.22: syn 1681993287

2023-07-23 19:42:20.038212 192.168.0.101.7245 -> 8.8.8.8.22: syn 1681993287

 

 

 

JimBo_0-1690159325228.png

 

 

JimBo_1-1690159381988.png

 

 

JimBo_2-1690159407284.png

 

 

diag debug reset
diag debug flow filter clear
diag debug flow filter daddr 8.8.8.8
diag debug flow filter port 22
diag debug flow show function-name enable
diag debug flow trace start 30
diag debug enable

 

id=20085 trace_id=92 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.0.101:2690->8.8.8.8:22) from a. flag [S], seq 3902402880, ack 0, win 64240"
id=20085 trace_id=92 func=init_ip_session_common line=5995 msg="allocate a new session-00000a90"
id=20085 trace_id=92 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-<Public.IP.addr.removed> via wan"
id=20085 trace_id=92 func=fw_forward_handler line=811 msg="Allowed by Policy-1: SNAT"
id=20085 trace_id=92 func=__ip_session_run_tuple line=3519 msg="SNAT 192.168.0.101->Public.IP.addr.removed:61310"
id=20085 trace_id=92 func=ipd_post_route_handler line=490 msg="out wan vwl_zone_id 0, state2 0x0, quality 0."
id=20085 trace_id=92 func=np6xlite_hif_nturbo_build_vtag line=1100 msg="np6xlite_hif_nturbo_build_vtag: vtag->magic d153beef, vtag->coretag 64, vtag->vid 0
vtag->sip[0] 55572a3f, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0
vtag->sport 32495, vtag->mtu 1500, vtag->flags 12, vtag->np6_index 1, skb->npu_flag=0xc0880"

 


id=20085 trace_id=93 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.0.101:2690->8.8.8.8:22) from a. flag [S], seq 3902402880, ack 0, win 64240"
id=20085 trace_id=93 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-00000a90, original direction"
id=20085 trace_id=93 func=npu_handle_session44 line=1217 msg="Trying to offloading session from a to wan, skb.npu_flag=00000000 ses.state=00053200 ses.npu_state=0x00003008"
id=20085 trace_id=93 func=fw_forward_dirty_handler line=397 msg="state=00053200, state2=00000000, npu_state=00003008"

 


id=20085 trace_id=94 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.0.101:2690->8.8.8.8:22) from a. flag [S], seq 3902402880, ack 0, win 64240"
id=20085 trace_id=94 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-00000a90, original direction"
id=20085 trace_id=94 func=npu_handle_session44 line=1217 msg="Trying to offloading session from a to wan, skb.npu_flag=00000000 ses.state=00053200 ses.npu_state=0x00003008"
id=20085 trace_id=94 func=fw_forward_dirty_handler line=397 msg="state=00053200, state2=00000000, npu_state=00003008"

 


id=20085 trace_id=95 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.0.101:2690->8.8.8.8:22) from a. flag [S], seq 3902402880, ack 0, win 64240"
id=20085 trace_id=95 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-00000a90, original direction"
id=20085 trace_id=95 func=npu_handle_session44 line=1217 msg="Trying to offloading session from a to wan, skb.npu_flag=00000000 ses.state=00053200 ses.npu_state=0x00003008"
id=20085 trace_id=95 func=fw_forward_dirty_handler line=397 msg="state=00053200, state2=00000000, npu_state=00003008"

 


id=20085 trace_id=96 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.0.101:2690->8.8.8.8:22) from a. flag [S], seq 3902402880, ack 0, win 64240"
id=20085 trace_id=96 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-00000a90, original direction"
id=20085 trace_id=96 func=npu_handle_session44 line=1217 msg="Trying to offloading session from a to wan, skb.npu_flag=00000000 ses.state=00053200 ses.npu_state=0x00003008"
id=20085 trace_id=96 func=fw_forward_dirty_handler line=397 msg="state=00053200, state2=00000000, npu_state=00003008"

Thank You JimBo
Thank You JimBo
Labels:
2409
0 Kudos
4 REPLIES 4
mriswan
Staff
Staff

Created on ‎07-24-2023 11:22 PM

Hello @JimBo ,


In Policy-based mode, firewall policy will split into 2 sections, and for versions 7.0 & 6.4 the native policy would be called 'SSL Inspection & Authentication', and the Application control policy would be 'Security Policy.'
Debug flow will only show the matched native policy id of the traffic, in our case policy id 1.

To see which application control policy is used for the traffic, we need to get the session output and the value of 'ngfwid' would be matching security policy.

To see session output in your case, run the below commands:
diag sys session filter dst 8.8.8.8
diag sys session filter dport 22
diag sys session list

2401
0 Kudos
JimBo
New Contributor II
In response to mriswan

Created on ‎07-31-2023 09:14 AM

Hi MRISWAN,

 

I used your cli example and I still get "total session 0" as output.

diag sys session filter dst 8.8.8.8
diag sys session filter dport 22
diag sys session list

 

I'm thinking I may have misunderstood part of your answer as I don't know what ngfwid is.

Are there more details I should consider for this to provide the desired output?

 

Thank you

Thank You JimBo
Thank You JimBo
2319
0 Kudos
pgautam
Staff
Staff
In response to JimBo

Created on ‎07-31-2023 10:44 AM

Hi Jim,


You will be able to see ngfwid from the session list output:-

e.g.:-

diagnose sys session list

session info: proto=1 proto_state=00 duration=27 expire=58 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
---truncated---
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0    <----- 'policy id refers to firewall policy'.
serial=000152f5 tos=ff/ff app_list=0 app=24466 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=1 <----- Security policy   -- on profile based is always 'ngfwid=n/a'.
npu_state=0x041008

 

For your reference please follow below link:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Basic-Command-for-Investigating-Firewall-P...

 

Regards

Priyanka


- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

2315
0 Kudos
apkbyte
New Contributor

Created on ‎07-31-2023 09:51 PM

Hey @JimBo

To reveal the security policy that either permitted or denied certain packets, you would typically check the logs from your firewall or your Intrusion Prevention System (IPS). The specific steps can vary greatly depending on the specific system and setup you have, but here's a general idea:

  1. Access your firewall/IPS logs: These logs are typically available through the administration interface for your firewall or IPS. You may need to log in with an administrator account.

  2. Filter the logs: You can typically filter the logs by time, source IP address, destination IP address, port, and whether the packet was accepted or denied. The filtering options will depend on your specific system.

  3. Check the policy: Once you've found the specific packets you're interested in, there should be a reference to the policy that led to the packet being accepted or denied. This might be a rule number, a rule name, or a similar identifier.

 

2300
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.