Fortinet black logo

Handbook

How FortiOS handles packets

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:302611
Download PDF

How FortiOS handles packets

To give you idea of what happens to a packet as it makes its way through the FortiGate unit here is a brief overview. This particular trip of the packet is starting on the Internet side of the FortiGate firewall and ends with the packet exiting to the Internal network. An outbound trip would be similar. At any point in the path if the packet is going through what would be considered a filtering process and if fails the filter check the packet is dropped and does not continue any further down the path.

This information is covered in more detail in other in the Troubleshooting chapter of the FortiOS Handbook in the Life of a Packet section.

The incoming packet arrives at the external interface. This process of entering the device is referred to as ingress.

Step #1 - Ingress
  1. Denial of Service Sensor
  2. IP integrity header checking
  3. IPsec connection check
  4. Destination NAT
  5. Routing
Step #2 - Stateful inspection engine
  1. Session Helpers
  2. Management Traffic
  3. SSL VPN
  4. User Authentication
  5. Traffic Shaping
  6. Session Tracking
  7. Policy lookup
Step #3 - Security profiles scanning process
  1. Flow-based Inspection Engine
  2. IPS
  3. Application Control
  4. Data Leak Prevention
  5. Email Filter
  6. Web Filter
  7. Anti-virus
  8. Proxy-based Inspection Engine
  9. VoIP Inspection
  10. Data Leak Prevention
  11. Email Filter
  12. Web Filter
  13. Anti-virus
  14. ICAP
Step #4 - Egress
  1. IPsec
  2. Source NAT
  3. Routing

How FortiOS handles packets

To give you idea of what happens to a packet as it makes its way through the FortiGate unit here is a brief overview. This particular trip of the packet is starting on the Internet side of the FortiGate firewall and ends with the packet exiting to the Internal network. An outbound trip would be similar. At any point in the path if the packet is going through what would be considered a filtering process and if fails the filter check the packet is dropped and does not continue any further down the path.

This information is covered in more detail in other in the Troubleshooting chapter of the FortiOS Handbook in the Life of a Packet section.

The incoming packet arrives at the external interface. This process of entering the device is referred to as ingress.

Step #1 - Ingress
  1. Denial of Service Sensor
  2. IP integrity header checking
  3. IPsec connection check
  4. Destination NAT
  5. Routing
Step #2 - Stateful inspection engine
  1. Session Helpers
  2. Management Traffic
  3. SSL VPN
  4. User Authentication
  5. Traffic Shaping
  6. Session Tracking
  7. Policy lookup
Step #3 - Security profiles scanning process
  1. Flow-based Inspection Engine
  2. IPS
  3. Application Control
  4. Data Leak Prevention
  5. Email Filter
  6. Web Filter
  7. Anti-virus
  8. Proxy-based Inspection Engine
  9. VoIP Inspection
  10. Data Leak Prevention
  11. Email Filter
  12. Web Filter
  13. Anti-virus
  14. ICAP
Step #4 - Egress
  1. IPsec
  2. Source NAT
  3. Routing