What happens when any packet reaches at inside interface of Fortigate Firewall

Umesh · ‎10-03-2023

Hello everyone,

When It comes to understand packet flow of Fortigate firewall when packet comes/arrives on it incoming interface and then next goes outside interface . I am sharing diagram with this so that you can make me understand using this diagram.

Actually this packet follow has been asked by the interviewer, that time I was unable to make him understand.

I would like to request you please look at this diagram, on the basis of it please make me understand.

I had gone through below Fortigate's docs but couldn't clear my doubt.

Regards,

Fortigate Firewall learner

Toshi_Esumi · ‎10-03-2023

Did you mean to include link like this?
https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/p...

Toshi

Umesh · ‎10-04-2023

Hi Toshi_Esumi,

Yes, I had gone through as you shared link. couldn't understand properly.

Can you please make me understand, when packet arrive at incoming interface, in my case port 2 is incoming interface and outgoing interface WAN(port1).

Lets suppose If user trying to access any http or icmp traffic who is setting inside the LAN. on that time I want to know how packet flow will be.

As far I understand - It will check following things as follows:-

1. lookup routing table

2.If route is present in the routing table then it will check policy whether particular source is allowed or not with specified service if rule/policy is enabled then traffic will pass.

3. Unable to understand when it check session table/security policy and rest of thing.

Please go through my doubt and make me understand.

Thank you.

Fortigate Firewall learner.

srajeswaran · ‎10-04-2023

Happy Learning :)

First thing , what is the destination IP?

lets assume the destination is 8.8.8.8. Not just fortigate, pretty much all firewalls follow the below as basic.
Firewall will check if it has an existing session for the packet received using the 5 tuples used to build sessions. If there is session the packet will be forwarded according to the session table entry, if not it proceed with below steps
Firewall will check if it has a Destination NAT for 8.8.8.8, if so it will perform the NAT and then the further check will be using the translated IP as destination.

Once the destination is confirmed, Firewall will do a destination route lookup, this will help to determine the outgoing interface and thus a policy context can be identified (policies defined between incoming and outgoing interfaces).
Firewall will also do a route lookup for Source to make sure its coming from the expected interface and not a spoof.

Once the route lookup is complete, it will check policies defined between the interfaces and if the policy allows the source/destination/application, if it allows the traffic is processed /moved to further inspections like UTM/AV/IPS etc and then if they all permit the traffic it will be sent out of the outgoing interface.

If the packet is TCP, firewalls will check if the first packet is SYN, second is SYN-ACK , third is ACK etc (also the direction of these packets as well) . If they are not in order it will be dropped.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Toshi_Esumi · ‎10-04-2023

I think @srajeswaran explained the process nicely. Although he intentionally didn't include SNAT(source NAT) process since you don't need it at your FGT because the SNAT is done at your ISP's router, I would include it after UTM/AV/IPS inspection. Because that's more common setup when the ISP's router is set in bridge mode.

Toshi