FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to trace which firewall policy will match based on IP address, ports and protocol and the best route for it to use CLI commands
Solution Use the follwing command to trace a specific traffic on which firewall policy that it will be matching:
The FortiGate was configured with 2 specific firewall policies as below:
# show firewall policy # config firewall policy edit 1 set name "clientToServer" set uuid 06f1be4a-fb9f-51e9-ef16-dc4000a2a577 set srcintf "port2" set dstintf "port3" set srcaddr "all" set dstaddr "VIP1" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable set ippool enable set poolname "IPPool" next edit 2 set name "any-allow" set uuid 194f0af0-22f7-51ea-c381-c68f1572bea6 set srcintf "port2" set dstintf "port1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL_TCP" set nat enable next end
Note that it is possible to trace the different matching of firewall policy with the different protocol. The first trace traffic is hitting implicit deny rule (policy id 0) as firewall policy id 2 will only be match for traffic with TCP protocol.
This command allows to easily trace the matching firewall policies even if there are long list of firewall policies configured.
Use the command as below to trace the best route for a specific traffic:
#get router info routing-table details <destination ip address>
Example:
# get router info routing-table details 8.8.8.8 Routing entry for 0.0.0.0/0 Known via "static", distance 10, metric 0, best * 10.47.3.254, via port1
