find out what policy is going to be followed

nml · ‎03-09-2022

Good morning,

I would like to know what to include as dst_port and protocol to find the rule
that allows me to pass the ping in the command:

diag firewall iprope lookup src_ip src_port dst_ip dst_port protocol Source interface

I have tried with "any" and "all_icmp" and it does not give an error but it does not give me the correct policy:

diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 any all_icmp port35

Thank you very much.

ede_pfau · ‎03-23-2022

you can even shorten that...quirks of a parser:

gate8 # diag firewall iprope lookup 192.168.234.4 0 8.8.8.8 / 1 internal
<src [192.168.234.4-0] dst [8.8.8.8-/] proto 1 dev internal> matches policy id: 56

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Debbie_FTNT · ‎03-23-2022

Hey guys,

it took some digging, but I found something:

#dia firewall iprope lookup <source IP> 1234 <dst IP> 1/133 icmp <source interface>

-> this returns the correct policy for me.

I couldn't find WHY the iprope lookup command needs to use this exact syntax, I just found an example buried in some old internal documentation, but it does return the correct result at least in my lab (on 7.0); the documentation I found was for a 6.0 setup, so I would assume that any firmware in between should also return a result.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

malam · ‎03-23-2022

Hi Guys,

Sometimes GUI failed to perform policy lookup when you select "ICMP ping request/ICMP ping reply" as protocol. Then the below CLI command is very helpful to do Policy lookup.

* > diagnose firewall iprope lookup <source IP> 1234 <dst IP> 1/133 icmp <source. interface>

Mahboob Alam

Toshi_Esumi · ‎03-23-2022

Based on my a little more exhaustive test,

- In case of "icmp" or protocol "1", destination port area needs to be in "xxx/yyy" format. '/' is necessary.

- for the protocol area you can use either name or number like below examples.

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 1234 8.8.8.8 1/13 icmp internal2
<src [10.68.0.103-1234] dst [8.8.8.8-1/13] proto icmp dev internal2> matches policy id: 2

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 1234 8.8.8.8 113 icmp internal2
Command fail. Return code -16

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 12345 8.8.8.8 0/0 1 internal2
<src [10.68.0.103-12345] dst [8.8.8.8-0/0] proto 1 dev internal2> matches policy id: 2

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 12345 8.8.8.8 53 udp internal2
<src [10.68.0.103-12345] dst [8.8.8.8-53] proto udp dev internal2> matches policy id: 2

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 55555 8.8.8.8 53 17 internal2
<src [10.68.0.103-55555] dst [8.8.8.8-53] proto 17 dev internal2> matches policy id: 2

<edit>

Above test was not enough to prove protocol number is actually working. So added a new policy 26 above policy 2 then tested below to prove it.

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 55555 8.8.8.8 53 17 internal2
<src [10.68.0.103-55555] dst [8.8.8.8-53] proto 17 dev internal2> matches policy id: 26

xxxx-fg1 # diag firewall iprope lookup 10.68.0.103 55555 8.8.8.8 53 udp internal2
<src [10.68.0.103-55555] dst [8.8.8.8-53] proto udp dev internal2> matches policy id: 26

Toshi

ede_pfau · ‎03-23-2022

you can even shorten that...quirks of a parser:

gate8 # diag firewall iprope lookup 192.168.234.4 0 8.8.8.8 / 1 internal
<src [192.168.234.4-0] dst [8.8.8.8-/] proto 1 dev internal> matches policy id: 56

Ede Kernel panic: Aiee, killing interrupt handler!

find out what policy is going to be followed

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website