Created on 05-09-2020 01:57 AM Edited on 11-22-2023 02:56 AM By Jean-Philippe_P
Description
This article describes the CLI command used to perform a policy lookup of pass-through traffic.
Scope
FortiGate.
Solution
The syntax of the policy lookup command is as follows:
diagnose firewall iprope lookup <src ip> <src port> <dst ip> <dst port> <protocol> <Incoming_interface>
For example, to check the DNS traffic from source 172.31.192.56 to 8.8.8.8, the command is as follows:
diagnose firewall iprope lookup 172.31.192.56 0 8.8.8.8 53 17 port3
<src [172.31.192.56-0] dst [8.8.8.8-53] proto 17 dev port3> matches policy id: 1
To check the HTTPS traffic from source 172.31.192.56 to 208.91.113.45, the command is as follows:
diagnose firewall iprope lookup 172.31.192.56 0 208.91.113.45 443 6 port3
<src [172.31.192.56-0] dst [208.91.113.45-443] proto 6 dev port3> matches policy id: 1
The protocol ID for TCP is 6 and the ID for UDP is 17.
Iprope lookup for ICMP.
The command to check the ICMP traffic from source 10.12.244.210 to 208.91.113.45 is as follows:
diagnose firewall iprope lookup 10.12.244.210 0 208.91.113.45 0 1/ Root_to_GI1
<src [10.12.244.210-0] dst [1.1.1.1-0] proto 1/ dev Root_to_GI1> matches policy id: 1
Below is the output when there is no policy matched for ICMP from source 10.12.244.210 to destination 208.91.113.45:
diagnose firewall iprope lookup 10.12.244.210 0 208.91.113.45 0 1/ port1
<src [1.1.1.1-222] dst [2.2.2.2-2222] proto 1/ dev port1> matches policy id: 0
Note: When executing the policy lookup, it is necessary to confirm whether the relevant routes are present in the routing table as it will otherwise fail.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.