Hi Toshi_Esumi,

Yes, I had gone  through as you shared link. couldn't understand properly.

Can you please make me understand, when packet arrive at incoming interface, in my case port 2 is incoming interface and outgoing interface WAN(port1).

Lets suppose If user trying to access any http or icmp traffic who is setting inside the LAN. on that time I want to know how packet flow will be.

As far I understand - It will check following things as follows:-

1. lookup routing table

2.If route is present in the routing table then it will check policy whether particular source is allowed or not with specified service if rule/policy is enabled then traffic will pass.

3. Unable to understand when it check session table/security policy and rest of thing.

Please go through my doubt and make me understand.

Thank you.

Fortigate Firewall learner.

Happy Learning :)

First thing , what is the destination IP?

lets assume the destination is 8.8.8.8. Not just fortigate, pretty much all firewalls follow the below as basic.
Firewall will check if it has an existing session for the packet received using the 5 tuples used to build sessions. If there is session the packet will be forwarded according to the session table entry, if not it proceed with below steps
Firewall will check if it has a Destination NAT for 8.8.8.8, if so it will perform the NAT and then the further check will be using the translated IP as destination.

Once the destination is confirmed, Firewall will do a destination route lookup, this will help to determine the outgoing interface and thus a policy context can be identified (policies defined between incoming and outgoing interfaces).
Firewall will also do a route lookup for Source to make sure its coming from the expected interface and not a spoof.

Once the route lookup is complete, it will check policies defined between the interfaces and if the policy allows the source/destination/application, if it allows the traffic is processed /moved to further inspections like UTM/AV/IPS etc and then if they all permit the traffic it will be sent out of the outgoing interface.

If the packet is TCP, firewalls will check if the first packet is SYN, second is SYN-ACK , third is ACK etc (also the direction of these packets as well) . If they are not in order it will be dropped.

I think @srajeswaran explained the process nicely. Although he intentionally didn't include SNAT(source NAT) process since you don't need it at your FGT because the SNAT is done at your ISP's router, I would include it after UTM/AV/IPS inspection. Because that's more common setup when the ISP's router is set in bridge mode.

Toshi