Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
ojacinto
Staff
Staff

Created on ‎10-30-2023 12:49 AM

Article Id 281793

Technical Tip: How to see the IPtables list on FortiProxy

Description This article describes how to see the IPtables used on FortiProxy.
Scope FortiProxy v7.0.0 and v7.2.0 and later.
Solution

Same as FortiOs, FortiProxy redirects traffic to the Wad process, however, there is no option as 'iprope' as in FortiOS nor a flow trace on FortiProxy.

 

However, FortiProxy uses the IPtables function, these tables contain sets of rules, called chains, that will filter incoming and outgoing data packets.

 

To see the IPtables on the FortiProxy, execute the following command on the CLI:

FortiProxy-VM02 # diagnose iptables list

 

For example:

 

FortiProxy-VM02 # diagnose iptables list
Chain INPUT  (policy DROP 446 packets, 35405 bytes)
pkts   bytes  target  prot  opt  in  out  source  destination
121    17154  ACCEPT  all   --   any any  anywhere anywhere    mark match 0x1/0x1
12044  9777K  ACCEPT  all   --   any any  anywhere anywhere    ctstate RELATED,ESTABLISHED
465    29359  ACCEPT  all   --   lo  any  anywhere anywhere
0      0      ACCEPT  all   --   tun-mgmt any anywhere anywhere
0      0      ACCEPT  tcp   --   any any  anywhere anywhere   multiport dports 541,7810,7802
0      0      ACCEPT  tcp   --   any any  anywhere 127.0.0.1 tcp dpt:8000
0      0      ACCEPT  tcp   --   any any  anywhere anywhere tcp dpt:8013
1      52     ACCEPT  tcp   --   port1 any anywhere 192.168.170.9 multiport dports 80,443,22
0      0      ACCEPT  icmp  --   port1 any anywhere 192.168.170.9 icmp echo-request
0      0      ACCEPT  udp   --   port2 any anywhere anywhere multiport dports 2048
0      0      ACCEPT  47    --   port2 any anywhere anywhere
0      0      ACCEPT icmp   --   port2 any anywhere 192.168.90.4 icmp echo-request
0      0      ACCEPT icmp   -- port3 any anywhere 192.168.30.12 icmp echo-request
0      0      ACCEPT tcp    -- port4 any anywhere 192.168.13.99 multiport dports 80,443,22
0      0      ACCEPT icmp   -- port4 any anywhere 192.168.13.99 icmp echo-request
...
0      0      ACCEPT tcp    -- ssl.root any anywhere 192.168.170.9 multiport dports 80,443,22
0      0      ACCEPT icmp   -- ssl.root any anywhere 192.168.170.9 icmp echo-request
0      0      ACCEPT icmp   -- ssl.root any anywhere 192.168.90.4 icmp echo-request
0      0      ACCEPT icmp   -- ssl.root any anywhere 192.168.30.12 icmp echo-request
0      0      ACCEPT tcp    -- ssl.root any anywhere 192.168.13.99 multiport dports 80,443,22
0      0      ACCEPT icmp   -- ssl.root any anywhere 192.168.13.99 icmp echo-request

 

There is also the following option for IPtables on FortiProxy:

 

FortiProxy-VM02 # diagnose iptables
list               list iptables
list6              list ip6tables
dry-run            dump iptables rule
refresh            refresh iptables
shaper             refresh shaper profile
shaper-stats       print shaper stats
shaper-stats-gui   print GUI shaper stats
216
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.