Dear people,
I will check the Policy on policy Based FG100.
I started a ping
I filtered the Sessions for dst IP, but I could not see there which policy are hitted.
Is there any way on CLI to see the matched Policy live?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hey Kaplan,
in addition to the link Toshi shared, you can also do something like this via CLI:
#dia sys session filter src <IP>
#dia sys session filter dst <IP>
#dia sys session proto 1 <--- icmp 6=tcp, 17=udp
#dia sys session list | grep policy
-> this will dump just the policy line from the individual sessions, so you can see which policy IDs are matched
Dear Debbi,
thanx for your Information
Session Filter on Profile Based Policys: I can compare with my policys. Everything ist OK
class_id=0 ha_id=0 policy_dir=0 tunnel=Int_Line-VPN-Z/ helper=dns-udp vlan_cos=0/255
misc=0 policy_id=6 auth_info=0 chk_client_info=0 vd=0
Session Filter on Policy Based Policys: Its on every Filter the policy_id=1.
Thats can not be! The question ist, do I see here the Security Policys or the Central SNAT policys, (The ID 1 of Central SNAT Policys can be.)
class_id=0 ha_id=0 policy_dir=0 tunnel=VPN_GK_Aldenhov/ vlan_cos=0/0
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
Other FW with Policy Based
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=60 time=9.4 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=60 time=8.9 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=60 time=120.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=60 time=9.0 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=60 time=44.8 ms
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 8.9/38.4/120.1 ms
SLG-FG-60F-CLA # dia sys session list | grep policy
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=255/255
misc=0 policy_id=0 auth_info=0 chk_client_info=0 vd=0
Policy ID ist 0 is implicit deny all, so it can not be, because I can ping out from FW console
On policy based I can not compare the session list with policys
Thanx again.
Hey Kaplan,
sorry, I didn't take the policy-based bit into consideration.
Regarding the policy ID 0 bit:
Yes, implicit deny is policy ID 0. But any local traffic (originating/terminating on the FortiGate) is also associated with policy ID 0 even when the traffic is not denied. In this case, for a ping originating on the FortiGate itself, it is expected to see policy ID 0 in the session.
Regarding policy ID 1 on every session:
-> the policy ID should be the consolidated policy, I believe, not the security policy
-> I'm not certain if you can find the security policy information in the session list, I haven't worked very much with policy-mode FortiGates
Not sure which FortiOS version was used but on 7.0.x the word filter is necessary before proto.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.