How are the QOS/Firewall rules processed? How to verify them?
KB ARTICLE TYPE: Troubleshooting, configuration
RELATED PRODUCTS: - MC1500, MC1550, MC3000, MC3200, MC4100, MC4200
RELATED SOFTWARE VERSIONS: 5.x
KEYWORDS: QoS, firewall, rules
While rule lookup is performed, the protocol match is performed first (Hence it becomes very crucial to always have the match box checked against the protocol field) and then the source, source port, destination, destination port are matched based on the match check box.
The rule lookup is stopped as soon as it hits the first rule that matches the source and destination fields after the protocol match is performed.
For example:
In the above illustration, we have 3 QOS rules between the subnets 172.16.10.x and 172.18.166.y for ICMP and TCP protocols.
The ping from 172.18.x.x is a success as it hits the rule 13 which is the only rule with ICMP match.
However, for the TCP traffic, we have two rules 9 – drops all the TCP traffic from 172.18.x.x to 172.16.x.x and rule 15 – a specific rule to all HTTPS traffic between two hosts which are in the same subnet as rule 15.
But when we try to initiate HTTPS traffic from 172.18.166.12 client, it gets dropped by the rule 9 as this rule comes first and the destination is a host from the subnet mentioned in the rule. Once the match is found, no further lookup is performed and all TCP traffic between the subnets is dropped.
To same can be verified from the firewall logs on the controller:
default# show syslog-file firewall
6 info ALR 05/23/2013 06:33:26 Network Traffic, Flow of Traffic MAC: 00:1f:3c:d1:36:8c->MAC: 00:90:0b:1b:02:69 src_ip:172.18.166.12->dst_ip:172.16.10.60:[dst_port:443], rule id: 9, action: Drop. AP MAC Address : 00:0c:e6:0a:54:73
7 info ALR 05/23/2013 06:49:38 Network Traffic, Flow of Traffic MAC: 00:1f:3c:d1:36:8c->MAC: 00:90:0b:1b:02:69 src_ip:172.18.166.12->dst_ip:172.16.10.60:[dst_port:0], rule id: 13, action: Forward. AP MAC Address : 00:0c:e6:0a:54:73
In order to get the HTTPS traffic working between the subnets, the rules for TCP have to be reordered as below:
default# show syslog-file firewall
17 info ALR 05/23/2013 07:55:03 Network Traffic, Flow of Traffic MAC: 00:1f:3c:d1:36:8c->MAC: 00:90:0b:1b:02:69 src_ip:172.18.166.12->dst_ip:172.16.10.60:[dst_port:443], rule id: 15, action: Forward. AP MAC Address : 00:0c:e6:0a:64:ad
NOTE: If proper match check boxes are not selected, the results are ambiguous.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.