policy

Fortigate Firewall Policy Debug Procedures

Using diagnose debug flow to show traffic hitting a policy

 
You can use the diagnose debug flow command to show packet flow through the FortiGate unit. As packets are received you can view debug messages to show how the FortiGate unit processes them. The following command sequence displays packet flow for packets with IP address 10.10.20.30.
The command output is extracted from actual command output and shows what happens after one packet is received:

Cisco IOS Policy Routing 2 ISPs on router

interface GigabitEthernet0/0
 ip address 10.0.1.1 255.255.255.0
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/0.100
 description VoIP VLAN stub
 encapsulation dot1Q 100
 ip address 10.0.100.1 255.255.255.0
 no ip proxy-arp
!
interface GigabitEthernet0/0.110
 description RT VLAN stub
 encapsulation dot1Q 110
 ip address 10.0.110.1 255.255.255.0
 no ip proxy-arp
 ip policy route-map RT-out
!
interface GigabitEthernet0/0.120
 description TCI VLAN stub
 encapsulation dot1Q 120
 ip address 10.0.120.1 255.255.255.0
 no ip proxy-arp
Subscribe to RSS - policy