Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nml
New Contributor II

find out what policy is going to be followed

Good morning,

I would like to know what to include as dst_port and protocol to find the rule
that allows me to pass the ping in the command:


diag firewall iprope lookup  src_ip  src_port  dst_ip  dst_port  protocol  Source interface


I have tried with "any" and "all_icmp" and it does not give an error but it does not give me the correct policy:


diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 any all_icmp port35


Thank you very much.

1 Solution
ede_pfau
Esteemed Contributor III

you can even shorten that...quirks of a parser:

gate8 # diag firewall iprope lookup 192.168.234.4 0 8.8.8.8 / 1 internal
<src [192.168.234.4-0] dst [8.8.8.8-/] proto 1 dev internal> matches policy id: 56

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
13 REPLIES 13
Patterson
Staff
Staff

Hello, 

Please find the below reference.

 

FGT_A # diagnose firewall iprope lookup 10.234.3.55 0 1.1.1.1 53 17 port1
<src [10.234.3.55-0] dst [1.1.1.1-53] proto 17 dev port1> matches policy id: 4

FGT_A #
FGT_A #
FGT_A #
FGT_A # sh firewall policy 4
config firewall policy
edit 4
set name "Inside"
set uuid 94ad437a-8e6a-51ec-1fda-92296035bf7d
set srcintf "port1"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set inspection-mode proxy
set ssl-ssh-profile "deep-inspection"
set nat enable
set comments " (Copy of Internet)"
next
end

FGT_A #

Regards,
Patterson
nml
New Contributor II

Thank you very much, but what you indicate shows me another rule by which I allow the DNS service but it does not show me the one I have with the ALL_ICMP service.

aahmadzada
Staff
Staff
nml
New Contributor II

This one works! Thank you very much, although I would also like it to work for me through CLI.

nml
New Contributor II

Any other option to make it work through CLI?

nml
New Contributor II

I'm still investigating.

Analyzing the types of policies, It seems that these are the codes of the services:

 

For the service named ALL
service(1):
[0:0x0:0/(0.65535)->(0.65535)] helper:auto
0=all

 

for ALL_ICMP
service(1):
[1:0x0:0/(0.65535)->(0.65535)] helper:auto
1=ICMP

 

for HTTP
service(1):
[6:0x0:0/(1.65535)->(80.80)] helper:auto
6=TCP

 

for SNMP
service(1):
[17:0x0:0/(1,65535)->(161,162)] helper:auto
17=UDP

 

If I do it via GUI with Policy Lookup:

(Source Interface -> port36
Protocol -> ICMP ping request
Source -> 1.1.1.1
Destination -> 2.2.2.2)

It works fine showing me the rule where I let ping pass.

 

If I make a show of that policy, it shows me:

Fortigate# show firewall policy XXXX
config firewall policy
edit XXXX
set uuid xxxxxxxxxxxxxxxxxxxxxxxxxxxx
set srcintf "port35"
set dstintf "port36"
set srcaddr "all"
set dstaddr "xxxxxxxxxxxxxxx"
set action accept
set schedule "always"
set service "ALL_ICMP"
set comments "xxxxxxxxxxxxxxxxxxxxx"
next
end

 

If I list it, the service it indicates is indeed "all_icmp":

policy index=XXXX uuid_idx=XXXX action=accept
flag (8010000): master pol_stats
flag2 (4000): resolve_sso
flag3 (20):
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0 dd_type=0 dd_mode=0
zone(1): 12 -> zone(1): 11
source(1): 0.0.0.0-255.255.255.255, uuid_idx=x,
dest(1): XXX.XXX.XXX.XXX-XXX.XXX.XXX.XXX, uuid_idx=x,
service(1):
[1:0x0:0/(0,65535)->(0,65535)] helper:auto


But I can't get it to point to the same policy when I run with cli:

diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 any all_icmp port35 (result: another rule)
diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 0 ALL_ICMP port36 (result: same wrong rule)
diag firewall iprope lookup 1.1.1.1 51778 2.2.2.2 0 1 port36 (result: Command fail. Return code -16)

 

any other expert?

ede_pfau
Esteemed Contributor III

ICMP is protocol 1 but it does not use ports. The various functions use a type ID inside the packet, for example 'ping request' is protocol 1, type 8.

It looks like the diag command does not cope with subtypes or portless protocols. You can make it work if you add "1:" as protocol, but I will take no responsability for the result.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
nml
New Contributor II

I have already tried it, and as soon as you enter "1" as protocol, it generates an error. (Command fail. Return code -16)

Toshi_Esumi
Esteemed Contributor III

Interestingly only protocol#=1 doesn't seem to work, while 0, 2, 3, 4... show me a policy ID. Is this a bug? I'm running 6.4.8 on FG60E.

 

Toshi

Labels
Top Kudoed Authors