Handbook

What's new
- Fortinet Security Fabric
- Manageability
- Networking
- Security
  - SSH MITM deep inspection
Getting started
- Installation
- Using the GUI
- Using the CLI
- FortiExplorer for iOS
- LED specifications
- Inspection mode
- Basic administration
- Firmware
- FortiGuard
- FortiCloud
- Troubleshooting your installation
- Resources
Fortinet Security Fabric
- Overview
  - Benefits
  - Components
- Configuration
- Using the Fortinet Security Fabric
- Automation stitches
- Fabric Connectors
SD-WAN
- Configuring SD-WAN
  - SD-WAN requirements
  - Configuring a basic SD-WAN deployment
- Monitoring SD-WAN
- Applying traffic shaping to SD-WAN traffic
- Viewing SD-WAN information in the Fortinet Security Fabric
High availability
- HA solutions
- FGCP HA
- FGCP HA examples
- Virtual clustering
- Full mesh HA
  - Full mesh HA example
  - Troubleshooting full mesh HA
- Operating a cluster
- Failover protection
- Session failover
- HA and load balancing
- FortiGate-VM and third-party HA
- VRRP
- FGSP
- Standalone configuration sync
Firewall
- Firewall concepts
- IPv6
- Network defense
- Policies
- Addresses
- Virtual IPs
- IP pools
- Services
- Schedules
- WAN optimization, proxies, web caching, and WCCP
- Example topologies
- WAN optimization
- Transparent and explicit proxies
- Explicit web proxy
- Explicit FTP proxy
- Web caching
- WCCP
- WAN optimization diagnose commands
Security Profiles
- Overview
- Inside FortiOS
- Inspection modes
- AntiVirus
- Web filtering
- DNS filter
  - FortiGuard botnet protection
- Application control
- Intrusion prevention
- Anti-spam filter
- Data leak prevention
- ICAP support
- FortiClient Compliance Profiles
- Proxy options
- SSL/SSH inspection
- Other considerations
Authentication
- Introduction to authentication
- Authentication servers
- Users and user groups
- FortiToken Mobile user instructions
- Managing guest access
- Configuring authenticated access
- Captive portals
- Certificate-based authentication
- Single sign-on using a FortiAuthenticator unit
- Single sign-on to Windows AD
- Agent-based FSSO
- SSO using RADIUS accounting records
- Monitoring authenticated users
- Examples and troubleshooting
IPsec VPN
- IPsec VPN concepts
  - VPN tunnels
  - VPN gateways
  - Clients, servers, and peers
  - Encryption
  - Authentication
  - Phase 1 and Phase 2 settings
  - Security Association
  - IKE and IPsec packet processing
- IPsec VPN overview
  - Types of VPNs
  - Planning your VPN
  - General preparation steps
  - How to use this guide to configure an IPsec VPN
- IPsec VPN from the GUI
  - Phase 1 configuration
  - Concentrator
  - IPsec Monitor
- Phase 1 parameters
  - Overview
  - Defining the tunnel ends
  - Choosing Main mode or Aggressive mode
  - Authenticating the FortiGate unit
  - Authenticating remote peers and clients
  - Defining IKE negotiation parameters
  - Using XAuth authentication
  - Dynamic IPsec route control
- Phase 2 parameters
  - Phase 2 settings
  - Configuring Phase 2 parameters
- Defining VPN security policies
  - Defining policy addresses
  - Defining security policies
- Gateway-to-gateway configuration
  - Gateway-to-gateway configuration
  - Testing
- Hub-and-spoke configuration
  - Configuration overview
  - Configure the hub
  - Configure the spokes
  - Dynamic spokes configuration example
- One-Click VPN (OCVPN)
  - General configuration
  - Key exchange
  - Device polling and controller information
  - System states
  - Debugging and logging
- Dynamic DNS configuration
  - Configuration overview
- FortiClient dialup-client configuration
  - Configuration overview
- FortiGate dialup-client configuration
  - Configuration overview
- Supporting IKE Mode Config clients
  - Automatic configuration overview
- Internet-browsing configuration
  - Configuration overview
- Redundant VPN configuration
  - Configuration overview
- Transparent-mode VPN configuration
  - Configuration overview
- IPv6 IPsec VPNs
  - Configuration examples
- L2TP and IPsec (Microsoft VPN)
  - Configuration overview
- GRE over IPsec (Cisco VPN)
  - Configuration overview
- Protecting OSPF with IPsec
  - Configuration overview
- Redundant OSPF routing over IPsec
  - Configuration
- BGP over dynamic IPsec
- IPsec Auto-Discovery VPN (ADVPN)
  - Example ADVPN configuration
- Logging and monitoring
  - Monitoring VPN connections
  - VPN event logs
- Troubleshooting
  - General troubleshooting tips
  - Troubleshooting L2TP and IPsec
  - Troubleshooting GRE over IPsec
SSL VPN
- Overview
- SSL VPN best practices
- Basic configuration
- SSL VPN client
  - FortiClient
  - Tunnel mode client configuration
- SSL VPN web portal
- Setup examples
- Troubleshooting
Networking
- Interfaces
- DNS
- Advanced static routing
- Dynamic routing
- Multicast forwarding
- Modems
- Troubleshooting
Transparent mode
- Overview
  - What is transparent mode?
  - Transparent mode features
- Installation
- Networking in transparent mode
- Firewalls and security in transparent mode
- IPsec VPN in transparent mode
- Using FortiManager and FortiAnalyzer
- High availability in transparent mode
  - Virtual clustering
  - MAC address assignment
- Best practices
VoIP Solutions: SIP
- Inside FortiOS: Voice over IP (VoIP) protection
- Common SIP VoIP configurations
  - Peer to peer configuration
  - SIP proxy server configuration
  - SIP redirect server configuration
  - SIP registrar configuration
  - SIP with a FortiGate
- SIP messages and media protocols
  - Hardware accelerated RTP processing
  - SIP request messages
  - SIP response messages
  - SIP message start line
  - SIP headers
  - The SIP message body and SDP session profiles
  - Example SIP messages
- The SIP session helper
  - SIP session helper configuration overview
  - Viewing, removing, and adding the SIP session helper configuration
  - Changing the port numbers that the SIP session helper listens on
  - Configuration example: SIP session helper in transparent mode
  - SIP session helper diagnose commands
- The SIP ALG
  - Enabling VoIP support from the GUI
  - SIP ALG configuration overview
  - VoIP profiles
  - Changing the port numbers that the SIP ALG listens on
  - Disabling the SIP ALG in a VoIP profile
  - SIP ALG diagnose commands
- Conflicts between the SIP ALG and the session helper
- Stateful SIP tracking, call termination, and session inactivity timeout
  - Adding a media stream timeout for SIP calls
  - Adding an idle dialog setting for SIP calls
  - Changing how long to wait for call setup to complete
- SIP and RTP/RTCP
- How the SIP ALG creates RTP pinholes
- Configuration example: SIP in transparent mode
- RTP enable/disable (RTP bypass)
- Opening and closing SIP register, contact, via and record-route pinholes
- Accepting SIP register responses
- How the SIP ALG performs NAT
  - SIP ALG source address translation
  - SIP ALG destination address translation
  - SIP call re-invite messages
  - How the SIP ALG translates IP addresses in SIP headers
  - How the SIP ALG translates IP addresses in the SIP body
  - SIP NAT scenario: source address translation (source NAT)
  - SIP NAT scenario: destination address translation (destination NAT)
  - SIP NAT configuration example: source address translation (source NAT)
  - SIP NAT configuration example: destination address translation (destination NAT)
  - SIP and RTP source NAT
  - SIP and RTP destination NAT
  - Source NAT with an IP pool
  - Different source and destination NAT for SIP and RTP
  - NAT with IP address conservation
  - Controlling how the SIP ALG NATs SIP contact header line addresses
  - Controlling NAT for addresses in SDP lines
  - Translating SIP session destination ports
  - Translating SIP sessions to multiple destination ports
  - Adding the original IP address and port to the SIP message header after NAT
- Enhancing SIP pinhole security
- Hosted NAT traversal
  - Configuration example: Hosted NAT traversal for calls between SIP Phone A and SIP Phone B
  - Hosted NAT traversal for calls between SIP Phone A and SIP Phone C
  - Restricting the RTP source IP
- SIP over IPv6
- Deep SIP message inspection
  - Actions taken when a malformed message line is found
  - Logging and statistics
  - Deep SIP message inspection best practices
  - Configuring deep SIP message inspection
- Blocking SIP request messages
- SIP rate limiting
  - Limiting the number of SIP dialogs accepted by a security policy
- SIP logging
- Inspecting SIP over SSL/TLS (secure SIP)
  - Adding the SIP server and client certificates
  - Adding SIP over SSL/TLS support to a VoIP profile
- SIP and HA–session failover and geographic redundancy
  - SIP geographic redundancy
  - Supporting geographic redundancy when blocking OPTIONS messages
  - Support for RFC 2543-compliant branch parameters
- SIP and IPS
- SIP debugging
  - SIP debug log format
  - SIP-proxy filter per VDOM
  - SIP-proxy filter command
  - SIP debug setting
  - Display SIP rate-limit data
Best practices
- General considerations
- Customer service and technical support
- Fortinet Knowledge Base
- System and performance
  - Performance
  - Shutting down
- Migration
- Environmental specifications
  - Grounding
  - Rack mounting
- Firmware
- Security Profiles (AV, Web Filtering etc.)
- Networking
- FGCP high availability
  - Heartbeat interfaces
  - Interface monitoring (port monitoring)
- WAN Optimization
- Virtual Domains (VDOMs)
- Explicit proxy
- Wireless
- Logging and reporting
  - Log management
  - System memory and hard disks
Managing devices
- Managing “bring your own device”
- Managing Fortinet devices
Server load balancing
- Inside FortiOS: server load balancing
- Basic load balancing configuration example
- Configuring load balancing
- HTTP and HTTPS load balancing, multiplexing, and persistence
- SSL/TLS load balancing
- IP, TCP, and UDP load balancing
- Example HTTP load balancing to three real web servers
- Example Basic IP load balancing configuration
- Example Adding a server load balance port forwarding virtual IP
- Example Weighted load balancing configuration
- Example HTTP and HTTPS persistence configuration
System administration
- Administrators
- Monitoring
- Replacement messages
- Administration for schools
- PPTP and L2TP
  - Configuring L2TP VPNs
  - L2TP configuration overview
- Session helpers
- Advanced concepts
Traffic shaping
- Overview
- Configuring traffic shaping
- Monitoring traffic shaping
- Traffic shaping examples
- Traffic shaping priority queueing (PRIQ)
- Troubleshooting traffic shaping
Virtual Domains
- VDOMs overview
  - Benefits
  - Configurations
- Configuring VDOMs
- Example configurations
  - Example 1: NAT mode
  - Example 2: NAT and transparent mode
- Troubleshooting VDOMs
FortiWifi and FortiAP Configuration
- Introduction to wireless networking
- Captive portals
- WiFi LAN configuration
- Access point deployment
- Remote AP setup
- Wireless mesh
  - Configuring a meshed WiFi network
  - Configuring a point-to-point bridge
- Hotspot 2.0
- Combining WiFi and wired networks with a software switch
  - FortiAP local bridging (private cloud-managed AP)
  - Using bridged FortiAPs to increase scalability
- Using remote WLAN FortiAPs
- Features for high-density deployments
- Wireless network protection
- Wireless network monitoring
- Wireless network client configuration
- Wireless network examples
  - Basic wireless network example
  - Complex wireless network example
- Managing a FortiAP with FortiCloud
  - FortiCloud-managed FortiAP WiFi
  - FortiCloud-managed FortiAP WiFi without a key
- Using a FortiWiFi unit as a client
  - Using a FortiWiFi unit in the client mode
  - Configuring a FortiAP unit as a WiFi Client in client mode
- Support for location-based services
  - Configuring location tracking
  - Viewing device location data on the FortiGate unit
- Troubleshooting
- Reference
FortiSwitch devices managed by FortiOS
- Connecting FortiLink ports
- Using the FortiGate GUI
- Using the FortiGate CLI
- Network topologies
- Optional setup tasks
- FortiSwitch port features
- FortiSwitch port security policy
- Additional capabilities
- Troubleshooting
FortiOS Carrier
- Overview of FortiOS Carrier features
  - MMS
  - GTP
- MMS Concepts
- MMS Configuration
- GTP basic concepts
- GTP Configuration
- SCTP Concepts
  - SCTP Firewall
- Troubleshooting
Sandbox inspection
- Using FortiSandbox with a FortiGate
  - Connecting a FortiGate to FortiSandbox
  - FortiSandbox console
- Sandbox integration
  - Overview
  - Example configuration
- Sandbox inspection FAQ
FortiView
- Overview
  - Enabling FortiView
  - FortiView interface
- FortiView consoles
- Reference
- Troubleshooting
Logging and reporting
- Logging and reporting overview
- Logging and reporting for small networks
- Logging and reporting for large networks
- Advanced logging
- Troubleshooting and logging
Troubleshooting
- Troubleshooting methodologies
- Troubleshooting tools
- Troubleshooting tips
- Troubleshooting resources

Home FortiGate / FortiOS 6.0.0 Handbook

6.0.0

Example 1: Remote sites with different subnets

This example provides a configuration example for IPsec VPN tunnels between three FortiGate in transparent Mode in different subnets, as well as some troubleshooting steps.

The expectation for this example is that PC1 will be able to communicate via the IPsec tunnels with PC2 and PC3, which are in different subnets.

The requirements for this example are:

Because both FortiGate are not in the same broadcast domain (separated by routers), the hosts on each side must be on different subnets.
FortiGate management IP addresses must be in the same subnet as the local hosts
The default gateways (router1 ,router2, router3) for PC1 , PC2 and PC3 must be behind port2 in order for the FortiGate to match the appropriate Encrypt firewall policy (port1 --> port2)

Configuration of FortiGate 1 (FGT1):

Only relevant parts of configuration are provided.

config system settings

set opmode transparent

set manageip 10.1.1.100/255.255.255.0

end

config router static

edit 1

set gateway 10.1.1.254

end

config firewall address

edit "10.1.1.0/24"

set subnet 10.1.1.0 255.255.255.0

edit "10.2.2.0/24"

set subnet 10.2.2.0 255.255.255.0

edit "10.3.3.0/24"

set subnet 10.3.3.0 255.255.255.0

end

config vpn ipsec phase1

edit "to_FGT2"

set proposal 3des-sha1 aes128-sha1 des-md5

set remote-gw 10.2.2.100

set psksecret fortinet

edit "to_FGT3"

set proposal 3des-sha1 aes128-sha1 des-md5

set remote-gw 10.3.3.100

set psksecret fortinet

end

config vpn ipsec phase2

edit "to_FGT2"

set keepalive enable

set phase1name "to_FGT2"

set proposal 3des-sha1 aes128-sha1

set dst-subnet 10.2.2.0 255.255.255.0

set src-subnet 10.1.1.0 255.255.255.0

edit "to_FGT3"

set keepalive enable

set phase1name "to_FGT3"

set proposal 3des-sha1 aes128-sha1

set dst-subnet 10.3.3.0 255.255.255.0

set src-subnet 10.1.1.0 255.255.255.0

end

config firewall policy

edit 1

set srcintf "port1"

set dstintf "port2"

set srcaddr "10.1.1.0/24"

set dstaddr "10.2.2.0/24"

set action ipsec

set schedule "always"

set service "ALL"

set inbound enable

set outbound enable

set vpntunnel "to_FGT2"

edit 3

set srcintf "port1"

set dstintf "port2"

set srcaddr "10.1.1.0/24"

set dstaddr "10.3.3.0/24"

set action ipsec

set schedule "always"

set service "ALL"

set inbound enable

set outbound enable

set vpntunnel "to_FGT3"

end

Configuration of FortiGate 2 (FGT2):

Only relevant parts of configuration are provided.

config system settings

set opmode transparent

set manageip 10.2.2.100/255.255.255.0

end

config router static

edit 1

set gateway 10.2.2.254

end

config firewall address

edit "10.1.1.0/24"

set subnet 10.1.1.0 255.255.255.0

edit "10.2.2.0/24"

set subnet 10.2.2.0 255.255.255.0

end

config vpn ipsec phase1

edit "to_FGT1"

set nattraversal disable

set proposal 3des-sha1 aes128-sha1 des-md5

set remote-gw 10.1.1.100

set psksecret fortinet

end

config vpn ipsec phase2

edit "to_FGT1"

set keepalive enable

set phase1name "to_FGT1"

set proposal 3des-sha1 aes128-sha1

set dst-subnet 10.1.1.0 255.255.255.0

set src-subnet 10.2.2.0 255.255.255.0

end

config firewall policy

edit 1

set srcintf "port1"

set dstintf "port2"

set srcaddr "10.2.2.0/24"

set dstaddr "10.1.1.0/24"

set action ipsec

set schedule "always"

set service "ALL"

set inbound enable

set outbound enable

set vpntunnel "to_FGT1"

end

Troubleshooting procedure

All steps given when PC1 pings PC2.

Verify if IPsec tunnels are up

FGT1 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=to_FGT2 ver=0 serial=1 10.1.1.100:0->10.2.2.100:0 lgwy=dyn tun=tunnel mode= auto

bound_if=0

proxyid_num=1 child_num=0 refcnt=7 ilast=0 olast=0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=1455

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=to_FGT2 proto=0 sa=0 ref=1 auto_negotiate=0 serial=5

src: 10.1.1.0/255.255.255.0:0

dst: 10.2.2.0/255.255.255.0:0

The above tunnel is down (output given as example)!

FGT2 # diagnose vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=to_FGT1 10.2.2.100:0->10.1.1.100:0 lgwy=dyn tun=tunnel mode=auto bound_if=0

proxyid_num=1 child_num=0 refcnt=7 ilast=1 olast=1

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=21 natt:

mode=none draft=0 interval=0 remote_port=0

proxyid=to_FGT1 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1

src: 10.2.2.0/255.255.255.0:0

dst: 10.1.1.0/255.255.255.0:0

SA: ref=3 options=00000009 type=00 soft=0 mtu=1436 expire=1771 replaywin=0 seq no=1

life: type=01 bytes=0/0 timeout=1773/1800

dec: spi=c1a8e951 esp=3des key=24 9213fdf22b150e01abb3535d1a647044eebf772b92f2f7ee

ah=sha1 key=20 66a38bf99f0b2d234f64b5a05187995c4f56f6bb

enc: spi=322067b4 esp=3des key=24 720e5680329937fb3630b7ed70bd41bb3114d3c269ae8b61

ah=sha1 key=20 e316113eb6ea03b014b3a5f9c1a3bd386637801a

The above tunnel is up!

Verify that destination local hosts are seen in the ARP table (necessary for IPsec despite being in TP mode)

FGT2 # get system arp

Address Age(min) Hardware Addr Interface

10.2.2.10 2 00:50:56:00:76:04 root.b

10.2.2.254 0 00:09:0f:30:29:e4 root.b

Using the debug flow command on the initiator side (example on FortiGate1)

FGT1 # diagnose debug flow filter addr 10.1.1.10

FGT1 # diagnose debug flow show console enable

FGT1 # diagnose debug enable

FGT1 # diagnose debug flow trace start 50

FGT1 # id=36870 trace_id=615 msg="vd-root received a packet(proto=1, 10.1.1.10:512-

>10.2.2.10:8) from port1."

id=36870 trace_id=615 msg="allocate a new session-00000636"

id=36870 trace_id=615 msg="Allowed by Policy-1: encrypt"

id=36870 trace_id=615 msg="enter IPsec tunnel-to_FGT2"

id=36870 trace_id=615 msg="SA is not ready yet, drop"

id=36870 trace_id=616 msg="vd-root received a packet(proto=1, 10.1.1.10:512->10.2.2.10:8) from port1."

id=36870 trace_id=616 msg="Find an existing session, id-00000636, original direction"

id=36870 trace_id=616 msg="enter IPsec tunnel-to_FGT2"

id=36870 trace_id=616 msg="encrypted, and send to 10.2.2.100 with source 10.1.1.100"

id=36870 trace_id=616 msg="send out via dev-port2, dst-mac-00:09:0f:30:29:e0"

id=36870 trace_id=617 msg="vd-root received a packet(proto=1, 10.1.1.10:512->10.2.2.10:8) from port1."

id=36870 trace_id=617 msg="Find an existing session, id-00000636, original direction"

id=36870 trace_id=617 msg="enter IPsec tunnel-to_FGT2"

id=36870 trace_id=617 msg="encrypted, and send to 10.2.2.100 with source 10.1.1.100"

id=36870 trace_id=617 msg="send out via dev-port2, dst-mac-00:09:0f:30:29:e0"

id=36870 trace_id=618 msg="vd-root received a packet(proto=1, 10.2.2.10:512->10.1.1.10:0) from port2."

id=36870 trace_id=618 msg="Find an existing session, id-00000636, reply direction"

id=36870 trace_id=618 msg="send out via dev-port1, dst-mac-00:50:56:00:76:03"

id=36870 trace_id=619 msg="vd-root received a packet(proto=1, 10.1.1.10:512->10.2.2.10:8) from port1."

id=36870 trace_id=619 msg="Find an existing session, id-00000636, original direction"

id=36870 trace_id=619 msg="enter IPsec tunnel-to_FGT2"

id=36870 trace_id=619 msg="encrypted, and send to 10.2.2.100 with source 10.1.1.100"

id=36870 trace_id=619 msg="send out via dev-port2, dst-mac-00:09:0f:30:29:e0"

id=36870 trace_id=620 msg="vd-root received a packet(proto=1, 10.2.2.10:512->10.1.1.10:0) from port2."

id=36870 trace_id=620 msg="Find an existing session, id-00000636, reply direction"

id=36870 trace_id=620 msg="send out via dev-port1, dst-mac-00:50:56:00:76:03"

The message "id=36870 trace_id=615 msg="SA is not ready yet, drop" simply means that the tunnel was not up yet.

Using the debug flow command on the receiver side (example on FortiGate2)

FGT2 # diagnose debug flow filter addr 10.1.1.10

FGT2 # diagnose debug flow show console enable

FGT2 # diagnose debug enable

FGT2 # diagnose debug flow trace start 50

FGT2 # id=36870 trace_id=51 msg="vd-root received a packet(proto=1, 10.1.1.10:512->10.2.2.10:8) from port2."

id=36870 trace_id=51 msg="allocate a new session-00000435"

id=36870 trace_id=51 msg="Allowed by Policy-1:"

id=36870 trace_id=51 msg="send out via dev-port1, dst-mac-00:50:56:00:76:04"

id=36870 trace_id=52 msg="vd-root received a packet(proto=1, 10.2.2.10:512->10.1.1.10:0) from port1."

id=36870 trace_id=52 msg="Find an existing session, id-00000435, reply direction"

id=36870 trace_id=52 msg="enter IPsec tunnel-to_FGT1"

id=36870 trace_id=52 msg="encrypted, and send to 10.1.1.100 with source 10.2.2.100"

id=36870 trace_id=52 msg="send out via dev-port2, dst-mac-00:09:0f:30:29:e4"

Using the sniffer trace (example on FortiGate2)

FGT2 # diagnose sniffer packet any "host 10.2.2.10" 4

9.460021 root.b out arp who-has 10.2.2.10 tell 10.2.2.100

9.460028 port2 out arp who-has 10.2.2.10 tell 10.2.2.100

9.460034 port1 out arp who-has 10.2.2.10 tell 10.2.2.100

9.460462 port1 in arp reply 10.2.2.10 is-at 0:50:56:0:76:4

9.460462 root.b in arp reply 10.2.2.10 is-at 0:50:56:0:76:4

[...]

49.477368 port2 in 10.1.1.10 -> 10.2.2.10: icmp: echo request

49.477444 port1 out 10.1.1.10 -> 10.2.2.10: icmp: echo request

49.477898 port1 in 10.2.2.10 -> 10.1.1.10: icmp: echo reply

50.510023 port2 in 10.1.1.10 -> 10.2.2.10: icmp: echo request

50.510079 port1 out 10.1.1.10 -> 10.2.2.10: icmp: echo request

50.510524 port1 in 10.2.2.10 -> 10.1.1.10: icmp: echo reply

The above ARP process in transparent mode with IPsec is allowing the FortiGate to:

Identify the MAC address of the destination device 10.2.2.10
Populate the MAC table (see below), which in turn will give a destination interface and allow a Firewall policy look-up

Check the FDB entries for the destination

FGT2 # diagnose netlink brctl name host root.b

port no device devname mac addr ttl

[...]

1 2 port1 00:50:56:00:76:04 0