A general approach to troubleshooting firewall-related issues on FortiGate.
Step 1 — Identify what policy is being hit
Use iprobe to check which policy traffic is matching:
diagnose firewall iprobe lookup <src_ip> <src_port> <dst_ip> <dst_port> <tcp/udp> <interface>
Policy 0 = implicit deny.
Step 2 — Check the session table
diagnose sys session filter clear
diagnose sys session filter src <src_ip>
diagnose sys session filter dst <dst_ip>
diagnose sys session list
Check for NAT translation, policy ID, and traffic direction.
Step 3 — Run a PCAP
To capture traffic live:
diag sniffer packet any "host <ip>" 4 0 l
To capture without a live user (simulate traffic):
execute telnet-options source <source_ip>
execute telnet <dest_ip> <port>
Step 4 — Check BGP/routing if traffic isn’t reaching the right place
get router info routing-table details <ip>
get router info bgp neighbors <neighbor> received-routes
Step 5 — Check logs
execute log filter reset
execute log filter field logdesc "BGP"
execute log filter category 1
execute log display
Related Notes
- Forti - Policy checking for CDECPE
- Forti - Session filter to find network path & find NAT
- Forti - PCAP without live user
- Forti - BGP Debug
- Forti - Checking logs
- Forti - How to find port a route is using