Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nml
New Contributor II

Created on ‎03-09-2022 01:06 AM

find out what policy is going to be followed

Good morning,

I would like to know what to include as dst_port and protocol to find the rule
that allows me to pass the ping in the command:


diag firewall iprope lookup  src_ip  src_port  dst_ip  dst_port  protocol  Source interface


I have tried with "any" and "all_icmp" and it does not give an error but it does not give me the correct policy:


diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 any all_icmp port35


Thank you very much.

Labels:
10037
0 Kudos
1 Solution
ede_pfau
SuperUser
SuperUser

Created on ‎03-23-2022 09:43 AM

you can even shorten that...quirks of a parser:

gate8 # diag firewall iprope lookup 192.168.234.4 0 8.8.8.8 / 1 internal
<src [192.168.234.4-0] dst [8.8.8.8-/] proto 1 dev internal> matches policy id: 56

 

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
9768
13 REPLIES 13
Patterson
Staff
Staff

Created on ‎03-09-2022 01:53 AM

Hello, 

Please find the below reference.

 

FGT_A # diagnose firewall iprope lookup 10.234.3.55 0 1.1.1.1 53 17 port1
<src [10.234.3.55-0] dst [1.1.1.1-53] proto 17 dev port1> matches policy id: 4

FGT_A #
FGT_A #
FGT_A #
FGT_A # sh firewall policy 4
config firewall policy
edit 4
set name "Inside"
set uuid 94ad437a-8e6a-51ec-1fda-92296035bf7d
set srcintf "port1"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"
set nat enable
set comments " (Copy of Internet)"
next
end

FGT_A #

Regards,
Patterson
6757
nml
New Contributor II
In response to Patterson

Created on ‎03-09-2022 11:41 PM

Thank you very much, but what you indicate shows me another rule by which I allow the DNS service but it does not show me the one I have with the ALL_ICMP service.

6718
0 Kudos
aahmadzada
Staff
Staff

Created on ‎03-09-2022 03:30 AM

We also do have a GUI tool for policy lookup:

https://docs.fortinet.com/document/fortigate/6.2.10/cookbook/497952/policy-views-and-policy-lookup

Ahmad
6735
nml
New Contributor II
In response to aahmadzada

Created on ‎03-09-2022 11:48 PM

This one works! Thank you very much, although I would also like it to work for me through CLI.

6717
0 Kudos
nml
New Contributor II

Created on ‎03-10-2022 11:02 PM

Any other option to make it work through CLI?

6694
0 Kudos
nml
New Contributor II

Created on ‎03-18-2022 06:06 AM

I'm still investigating.

Analyzing the types of policies, It seems that these are the codes of the services:

 

For the service named ALL
service(1):
[0:0x0:0/(0.65535)->(0.65535)] helper:auto
0=all

 

for ALL_ICMP
service(1):
[1:0x0:0/(0.65535)->(0.65535)] helper:auto
1=ICMP

 

for HTTP
service(1):
[6:0x0:0/(1.65535)->(80.80)] helper:auto
6=TCP

 

for SNMP
service(1):
[17:0x0:0/(1,65535)->(161,162)] helper:auto
17=UDP

 

If I do it via GUI with Policy Lookup:

(Source Interface -> port36
Protocol -> ICMP ping request
Source -> 1.1.1.1
Destination -> 2.2.2.2)

It works fine showing me the rule where I let ping pass.

 

If I make a show of that policy, it shows me:

Fortigate# show firewall policy XXXX
config firewall policy
edit XXXX
set uuid xxxxxxxxxxxxxxxxxxxxxxxxxxxx
set srcintf "port35"
set dstintf "port36"
set srcaddr "all"
set dstaddr "xxxxxxxxxxxxxxx"
set action accept
set schedule "always"
set service "ALL_ICMP"
set comments "xxxxxxxxxxxxxxxxxxxxx"
next
end

 

If I list it, the service it indicates is indeed "all_icmp":

policy index=XXXX uuid_idx=XXXX action=accept
flag (8010000): master pol_stats
flag2 (4000): resolve_sso
flag3 (20):
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 12 -> zone(1): 11
source(1): 0.0.0.0-255.255.255.255, uuid_idx=x,
dest(1): XXX.XXX.XXX.XXX-XXX.XXX.XXX.XXX, uuid_idx=x,
service(1):
[1:0x0:0/(0,65535)->(0,65535)] helper:auto


But I can't get it to point to the same policy when I run with cli:

diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 any all_icmp port35 (result: another rule)
diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 0 ALL_ICMP port36 (result: same wrong rule)
diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 0 1 port36 (result: Command fail. Return code -16)

 

any other expert?

6636
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎03-18-2022 10:15 AM

ICMP is protocol 1 but it does not use ports. The various functions use a type ID inside the packet, for example 'ping request' is protocol 1, type 8.

It looks like the diag command does not cope with subtypes or portless protocols. You can make it work if you add "1:" as protocol, but I will take no responsability for the result.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
6629
nml
New Contributor II

Created on ‎03-20-2022 10:58 PM

I have already tried it, and as soon as you enter "1" as protocol, it generates an error. (Command fail. Return code -16)

6587
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-21-2022 02:14 PM

Interestingly only protocol#=1 doesn't seem to work, while 0, 2, 3, 4... show me a policy ID. Is this a bug? I'm running 6.4.8 on FG60E.

 

Toshi

6566
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.