Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
boneyard
Valued Contributor

is it possible to better debug / determine policy choice?

had an issue recently where the choice of a policy made totally no sense for certain traffic.

 

i use diagnose debug flow and see pretty much no other useful information the the choice of policy ID.

 

is there something else i can do? it would be great if there is some extra option to actually list why the fortigate feels that traffic matches a certain policy.

6 REPLIES 6
emnoc
Esteemed Contributor III

Nope, the diag debug flow is the best thing for the fortigate fwpolicy-id diagnostic. It will show you what was matched, policyid,  route lookup, SNAT/DNAT, any other utm actions,etc......

 

It's probably the best thing out on the market outside the  checkpoint fw cmd  or cisoc asa packet-tracer.

 

So what problem are you actually seeing or the expect behavior?

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
boneyard
Valued Contributor

in this case it was DNS traffic from an unauthenticated source hitting a policy with group authentication (FSSO) and being allowed there, it took me a while to remember this is default behaviour.

 

anyone have a good public source for this btw? i can only find it in the NSE4 training material. the authentication admin guide only states you need to setup a separate DNS allow policy before any authentication policies.

 

so when i first noticed it i started investigating the fact if the IP wasn't somehow authenticated, why did the fortitgate believe it belonged to that group? diag debug flow is helpful in pointing out results, but not why they are made. i would love to see something that compares the packet to the policy and comes out with source: match, destination: match, authentication group: failed, but DNS so match.

 

would have saved quite some searching and having doubts about FSSO working correctly again.

 

and that is just one example, had something similar in the past where the policy choice didn't make sense until i noticed the service config was messed up. again if diag debug flow had shown a match on the service i would have been able to focus on that much quicker.

 

anyway, in the end both were solved, but i had hoped for a hidden extra flag

MikePruett
Valued Contributor

I think it is just one of those uniquely Fortinet things for "this is just how it works" lol.

 

I pulled my hair out a good bit on a deployment before I realized it.

Mike Pruett Fortinet GURU | Fortinet Training Videos
pyy
New Contributor III

Hi, Why you dont try diag sys session list with filter expressions?

 

example:

diag sys session filter src 192.168.1.5 diag sys session list the output will show to you the policy id that the traffic math

boneyard
Valued Contributor

does it help me in understanding why the traffic matches that policy id? i believe that session table doesn't show anything more.

emnoc
Esteemed Contributor III

The session table will show the policy-id when it's established. We restart the application and or traffic and monitor the session table but the diag debug flow is the best thing on planet earth imho.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors