Good morning,
I would like to know what to include as dst_port and protocol to find the rule
that allows me to pass the ping in the command:
diag firewall iprope lookup src_ip src_port dst_ip dst_port protocol Source interface
I have tried with "any" and "all_icmp" and it does not give an error but it does not give me the correct policy:
diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 any all_icmp port35
Thank you very much.
Solved! Go to Solution.
you can even shorten that...quirks of a parser:
gate8 # diag firewall iprope lookup 192.168.234.4 0 8.8.8.8 / 1 internal
<src [192.168.234.4-0] dst [8.8.8.8-/] proto 1 dev internal> matches policy id: 56
Hey guys,
it took some digging, but I found something:
#dia firewall iprope lookup <source IP> 1234 <dst IP> 1/133 icmp <source interface>
-> this returns the correct policy for me.
I couldn't find WHY the iprope lookup command needs to use this exact syntax, I just found an example buried in some old internal documentation, but it does return the correct result at least in my lab (on 7.0); the documentation I found was for a 6.0 setup, so I would assume that any firmware in between should also return a result.
Hi Guys,
Sometimes GUI failed to perform policy lookup when you select "ICMP ping request/ICMP ping reply" as protocol. Then the below CLI command is very helpful to do Policy lookup.
* > diagnose firewall iprope lookup <source IP> 1234 <dst IP> 1/133 icmp <source. interface>
Based on my a little more exhaustive test,
- In case of "icmp" or protocol "1", destination port area needs to be in "xxx/yyy" format. '/' is necessary.
- for the protocol area you can use either name or number like below examples.
xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 1234 8.8.8.8 1/13 icmp internal2
<src [10.68.0.103-1234] dst [8.8.8.8-1/13] proto icmp dev internal2> matches policy id: 2
xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 1234 8.8.8.8 113 icmp internal2
Command fail. Return code -16
xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 12345 8.8.8.8 0/0 1 internal2
<src [10.68.0.103-12345] dst [8.8.8.8-0/0] proto 1 dev internal2> matches policy id: 2
xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 12345 8.8.8.8 53 udp internal2
<src [10.68.0.103-12345] dst [8.8.8.8-53] proto udp dev internal2> matches policy id: 2
xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 55555 8.8.8.8 53 17 internal2
<src [10.68.0.103-55555] dst [8.8.8.8-53] proto 17 dev internal2> matches policy id: 2
<edit>
Above test was not enough to prove protocol number is actually working. So added a new policy 26 above policy 2 then tested below to prove it.
xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 55555 8.8.8.8 53 17 internal2
<src [10.68.0.103-55555] dst [8.8.8.8-53] proto 17 dev internal2> matches policy id: 26
xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 55555 8.8.8.8 53 udp internal2
<src [10.68.0.103-55555] dst [8.8.8.8-53] proto udp dev internal2> matches policy id: 26
Toshi
you can even shorten that...quirks of a parser:
gate8 # diag firewall iprope lookup 192.168.234.4 0 8.8.8.8 / 1 internal
<src [192.168.234.4-0] dst [8.8.8.8-/] proto 1 dev internal> matches policy id: 56
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1741 | |
1109 | |
753 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.