Fortigate Firewall Packet Flow - in depth for troubleshoot
HTML-код
- Опубликовано: 9 июл 2024
- ========================fortigate firewall packet flow.=================
Fortigate firewall architecture
CP8 & NP6
Hardware acceleration
dirty flag, may dirty flags
IPS
Life of a session
I know its always “Life of a packet” when any vendor explain the packet flow of firewall, but I don’t agree with this sentence as this can create miss understanding which I will explain in this article. as per me the topic name should be Life of a session.
Why ? To explain this lets take a simple example of HTTPs traffic only.
Because when you type www.tekguru4u.com in the browser then its not only syn packet that goes from your PC and get inspected via Firewall but lot of packets get exchanged before you see the web-page. so how it can be "Life of a packet"? Either "Life of packets " but that doesn't make sense because packets can also be from another website request.
1. DNS Query
2. Complete 3-way handshake.
3. Complete SSL Handshake and then
4. HTTP requests. where lot of HTTP packets will be exchanged
5. and if in the same website you change the application then packet will be checked for "Change of application " Like in tunneled application.
You have seen how many packets get exchanged from one session. And every packet has different packet flow.
1. 1st packet of session is DNS packet and its treated differently than other packets.
2. After that 3 way handshake starts.
3. First packet of 3 way handshake does not get offloaded and it has to travel from all the inspection modes.
4. Rest packets of 3 way handshake will get offloaded.
5. Another great point to know is that complete three way handshake does not need to match with the Layer-7 inspection (UTM) because it works upto L4. but fortigate in its logs you can see that packet is passed through Layer-7 inspection. which does not make sense. But nothing is matched here.
6. for inspecting a packet at Layer-7 at-least small amount of data is required after 3-way handshake. http get request
What a great explanation of Packet Flow. Loved it.
Thank you.
Bro! You just saved me a good deal of time as I've been pondering why my custom signatures were not working like how so many people described on the web. Well with your indepth explanation, you made it so clear and gave me a vision and long story short, because the IPS doesn't kick in until after the session is added to the session table, other things could be blocking my packet before it hit the IPS. Which was the case. As soon as I create a policy and put it above all the others and pretty much made it wide open to test, bingo! I can't thank you enough for the work you did, this was wonderful.
spread the words🤗
Great video.
The main reason, why routing has to be done before the FW policy is, that the routing determines the involved interfaces, especially the egress interface which is key to determine the matching policy as we have the incoming (ingress) and outgoing (egress) interfaces, which are mandatory elements for a FW policy.
This shows, that routing is key, also in terms of firewall policies.
It's a good rule of thumb: "Always check the routing first" when dealing with weird firewall behaviors.
perfect
subscribe and share to support this channel
Much appreciated, greetings from Vienna
Brother, I always like your Video.No one should dislike it as far as Networking is concerned.
Great content!!
Thanks sir, i was trying to understand fortigate packet flow from fortigate page itself but did'nt understand. Your way of explanation is easy to understand, super explanation. Again thanks sir!
Very helpful 👍, thank you.
Superb bro..well done. much helpful.
Wonderful Bro !!
Very nice explanation sir, sharing good knowledge
Greeting, Technical_Scoop. extremely picturesque video. thanks. :)
Wonderful bro its really very informative need more troubleshooting videos ...
Thank you sir, this video is very helpful
Slow path process :- 1>DNAT , 2> Routing , 3> Policy , 4>SNAT .... 2nd Question answers :- if there will be no routing in that case.. no use of policy lookup .. so by doing routing lookup we are not much consuming CPU Utilization of firewall ... Thank u so much for explaining it :)
Sir it's my feedback
Really cool and crystal clear session for upcoming TAC engineer of fortigate also information that your gathered show the effort of you thanks a lot sir........
I could not have said it any better myself.
Great explanation. Thanks or this knowledge.
Very helpful thanks 👏
good bro ! policy will be the first counter for all the traffic before it moves to NAT and Security
Good explaination
Awesome brother, great explanation, can you make another showing differences between application,dns and web filter. Explaining in detail when to use which filter. Can you explain how SDWAN rules can impact the SNAT selection in policy
You king sir! Thank you very much for this Video. If you would have had a good Microphone I would rate this Video 11/10!
The route is before Policy because after Routing, specify the Policy ,based on the outgoing interface
Fantastic explanation. Could you please share the traffic flow diagram which you explain here.
You gained a subsciber thanks for awesome content
excellent
Thank you
sir thanks ...
Awesome
In the slow path it checks the DNAT, Routing , Policy Lookup, SNAT
Really nice
Thanks, spread the words 🙏🏻🤗
JAI SHREE RAM🙏
25:10
What is slow path chkng proccess?
1 DNAT
2. ROUTING
3 POLICY
4 SNAT
how can i enroll for other videos
Your Explanation was very deep, awezome video. I have a question for you, if i have an specific Firewalls rule at the end, saying ¨Deny any any", and prior that rules execute i have some other App rule (let say office365 for example) the Application control Will not be able to detect the Application because of the "deny" rule it Will not be able to complete the 3way handshake therefore there is no flow to catch? im Right?
Cristian Silva u r right
so its always recommend that deny deny at last and then all permit on above and if u creat rule for app with allow like allow youtube then it will do 3 way from that rule
Hello Sir. Thank you for the content. But I have one question. Where is the DNAT happening for Fast Path?
slow path
Just a Question. You said that every packet gets handeld first by the CPU. But not in the Case of DDos right? Then de SP would block it before passing the traffic to the CPU?
Or other related IPS things?
superb
where does urpf happen in packet flow ?
Love the video! Would it be possible to share the flow chart you made? Want to use it as my background, to have a quick peak when needed.
thanks John, i lost it myself. my website was expired and was no plan to extend due to high cost. but renwed website , unfortuantely lost images.
could you please focus on fast path steps in deep?
Hi, Which command I should ran to check this flow of packets on my device
diag debug
check my another video on this
diag debug flow show iprope enable
diagnose debug flow show function-name enable
diag debug flow trace start 1000
diag debug enable
You can also filter for specific IP address Flow by using - diag debug flow filter
Hello , Do you have full Forti gate videos , if nor here on other platform , Please let me know
Sorry bro, no videos for now. but planning to make in near furure
hello, do you share that power point doc?
Go to my websiite to see this packet flow in image
Hey, great video. It's possible to share the powerpoint or the images of this presentation. If i try to reach the source image, i got http 404.
Thanks in advance.
Pls share the flow chart
If Destination NAT is verified before security policy check then why in WAN to LAN security policy, under Destination Address Public IP is given. why cant we directly give Private IP address. My doubt is not only for Fortigate but also for other firewalls like Sonicwall & Paloalto also.
Destination IP In fortigate is VIP. virtual IP. so in Fortigate its very easy. no confusion at all. packet flow helps you to tell which is happening when.
@@SantoshSharma Hi thanks for your reply, Can you explain packet flow for Sonicwall.
Are you teaching over the Skype or zoom
Monu Gothwal What happend? I didn’t understand the question, if u want training , Please contact me on email
info@tekguru4u.com
sir please upload the flow chart in HD Format
IPS LOGS, APP LOGS, WEBFILTER Logs are not visible
kindly Share the screenshot.
one dislike may be a child when his father watching the video the child could have click it.
🤩🤩
25:11
Question
Why routing before policy ?
Ans
Because in an Firewall it has lot of policies it means utilize cpu n latency so it will check first routing its ec and also it's crct path
On the basis of routing firewall determine the egress interface and then the policy lookup is done for that flow. Without the egress information policy check won't take place
@@toptalkers7980 i would say awesome answer
@@SantoshSharma thank you sir
pls activate windows