Description
This article describes the CLI command used to perform a policy lookup of pass-through traffic.
Scope
FortiGate.
Solution
The syntax of the policy lookup command is as follows:
diagnose firewall iprope lookup <src ip> <src port> <dst ip> <dst port> <protocol> <Incoming_interface>
For example, to check the DNS traffic from source 172.31.192.56 to 8.8.8.8, the command is as follows:
diagnose firewall iprope lookup 172.31.192.56 0 8.8.8.8 53 17 port3
<src [172.31.192.56-0] dst [8.8.8.8-53] proto 17 dev port3> matches policy id: 1
To check the HTTPS traffic from source 172.31.192.56 to 208.91.113.45, the command is as follows:
diagnose firewall iprope lookup 172.31.192.56 0 208.91.113.45 443 6 port3
<src [172.31.192.56-0] dst [208.91.113.45-443] proto 6 dev port3> matches policy id: 1
The protocol ID for TCP is 6 and the ID for UDP is 17.
Iprope lookup for ICMP.
The command to check the ICMP traffic from source 10.12.244.210 to 208.91.113.45 is as follows:
diagnose firewall iprope lookup 10.12.244.210 0 208.91.113.45 0 1/ Root_to_GI1
<src [10.12.244.210-0] dst [1.1.1.1-0] proto 1/ dev Root_to_GI1> matches policy id: 1
Below is the output when there is no policy matched for ICMP from source 10.12.244.210 to destination 208.91.113.45:
diagnose firewall iprope lookup 10.12.244.210 0 208.91.113.45 0 1/ port1
<src [1.1.1.1-222] dst [2.2.2.2-2222] proto 1/ dev port1> matches policy id: 0
Note: When executing the policy lookup, it is necessary to confirm whether the relevant routes are present in the routing table as it will otherwise fail.
