Description
This article describes how to check policy matching for Policy-based operation mode.
Scope
FortiGate.
Solution
In Policy-based mode firewall policy will split into 2 sections.
|
Native policy
|
Application control policy
|
FOS version
|
|
SSL Inspection & Authentication.
CLI : config firewall policy
|
Security Policy.
CLI : config firewall security-policy.
|
7.0 & 6.4.
|
|
SSL Inspection & Authentication.
CLI : config firewall consolidated policy.
|
Security Policy.
CLI : config firewall security-policy.
|
6.2.3 above.
|
|
Firewall Policy
CLI : config firewall consolidated policy.
|
Security Policy.
CLI : config firewall security-policy.
|
6.2.3 below.
|
As policy split into 2 sections, when performing troubleshooting to check traffic is hitting on which policy by using debug flow (refer to FD30038 for detail command) will only able to show it hitting policy define in native policy. To debug on Security Policy which is handle by IPS, we need to use below debug
To start debug.
diagnose ips pme debug enable
diagnose debug enable
To stop debug.
diagnose debug disable
diagnose ips pme debug disable
** Note.
You can also BPF filter for the PME debugs for specific traffic
diagnose ips filter set "host 10.10.1.1 and port 443"
It is also advised to run these debugs with extra caution preferably during low traffic
Above debugging only require deeper investigation why it not hitting the correct policy, using session list able to provide quick view on which policy it is hitting.
Below example show SSH traffic coming from host 10.101.0.2 to destination 10.56.255.7, as visible highlighted in RED color indicate matching policy for firewall policy 2 (policy_id) and security policy 2 (ngfwid).
session info: proto=6 proto_state=11 duration=3 expire=29 timeout=3600 flags=00000000 socktype=0 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty nb ndr npu
statistic(bytes/packets/allow_err): org=160/3/1 reply=131/2/1 tuples=3
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=9->16/16->9 gwy=10.56.243.254/10.101.0.2
hook=post dir=org act=snat 10.101.0.2:50338->10.56.255.7:22(10.56.242.52:50338)
hook=pre dir=reply act=dnat 10.56.255.7:22->10.56.242.52:50338(10.101.0.2:50338)
hook=post dir=reply act=noop 10.56.255.7:22->10.101.0.2:50338(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0
serial=00001540 tos=ff/ff app_list=0 app=0 url_cat=0
sdwan_mbr_seq=0 sdwan_service_id=0
rpdb_link_id=00000000 rpdb_svc_id=0 ngfwid=2
npu_state=0x003c08
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=75/75, ipid=132/146, vlan=0x0000/0x0000
vlifid=132/146, vtag_in=0x0000/0x0000 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=10/11
no_ofld_reason: block-by-ips redir-to-ips
The above session indicates traffic has been dropped by IPS, refer to the last line.
