What happens when any packet reaches at inside interface of Fortigate Firewall
When It comes to understand packet flow of Fortigate firewall when packet comes/arrives on it incoming interface and then next goes outside interface . I am sharing diagram with this so that you can make me understand using this diagram.
Actually this packet follow has been asked by the interviewer, that time I was unable to make him understand.
I would like to request you please look at this diagram, on the basis of it please make me understand.
I had gone through below Fortigate's docs but couldn't clear my doubt.
lets assume the destination is 220.127.116.11. Not just fortigate, pretty much all firewalls follow the below as basic. Firewall will check if it has an existing session for the packet received using the 5 tuples used to build sessions. If there is session the packet will be forwarded according to the session table entry, if not it proceed with below steps Firewall will check if it has a Destination NAT for 18.104.22.168, if so it will perform the NAT and then the further check will be using the translated IP as destination.
Once the destination is confirmed, Firewall will do a destination route lookup, this will help to determine the outgoing interface and thus a policy context can be identified (policies defined between incoming and outgoing interfaces). Firewall will also do a route lookup for Source to make sure its coming from the expected interface and not a spoof.
Once the route lookup is complete, it will check policies defined between the interfaces and if the policy allows the source/destination/application, if it allows the traffic is processed /moved to further inspections like UTM/AV/IPS etc and then if they all permit the traffic it will be sent out of the outgoing interface.
If the packet is TCP, firewalls will check if the first packet is SYN, second is SYN-ACK , third is ACK etc (also the direction of these packets as well) . If they are not in order it will be dropped.
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
I think @srajeswaran explained the process nicely. Although he intentionally didn't include SNAT(source NAT) process since you don't need it at your FGT because the SNAT is done at your ISP's router, I would include it after UTM/AV/IPS inspection. Because that's more common setup when the ISP's router is set in bridge mode.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.