source and destination interfaces
source and destination address
service
schedule
and finally we execute the action
Basically the same way you see the policy in the WebGUI display or CLI is the matching order.
Also multiple policies are are matched top to bottom & till one of 2 things happen;
1> it's match and the corresponding action take place ( drop/accept/encrypt/etc.... ) and any security profiles are applied or traffic shapers
or
2> it's not matched and drop
Always place most specific 1st and more broader policies last . I always try to get in a habit of placing vpn policies above everybody else.
Here's a typically policy with #s indicating the matching order. I left out the user identity stuff.
or via cli
Keep the following in mind when troubleshooting fwpolicies;
1: RPF checks if applied comes 1st
2: next any route lookup/decisions comes next ( can't do anything till we know where the packet is destination )
3: diag debug flow is your friend ( learn how to use it )
http://socpuppet.blogspot.com/2013/03/flow-diagnostic-fortigate.html
4: the policy must be active in order for it to work ( will duh, but easily missed )
5: the ordering of the policies are very crucial
6: the traffic has to reach the firewall in order to be process ( will again a big duh, but if you have no sessions no drops in the logs if logging is enable, than you can assume the packet never made it to you )
The diag sniffer packet command is your next best friend
I hope this post comes in handy for flow diagnostics.
Ken Felix
Security and Network Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( - - )=
o
/ \
No comments:
Post a Comment