Fortinet black logo

Administration Guide

Policy views and policy lookup

Policy views and policy lookup

This topic provides a sample of firewall policy views and firewall policy lookup.

Policy views

In Policy & Objects policy list pages, there are two policy views: Interface Pair View and By Sequence view.

Interface Pair View displays the policies in the order that they are checked for matching traffic, grouped by the pairs of incoming and outgoing interfaces in collapsible sections.

By Sequence displays policies in the order that they are checked for matching traffic without any grouping.

The default display is Interface Pair View. You can switch between the two views except if any or multiple interfaces are applied in the policy. The FortiGate automatically changes the view on the policy list page to By Sequence whenever there is a policy containing any or multiple interfaces as the Source or Destination interface. If the Interface Pair View is grayed out, it is likely that one or more policies have used the any or multiple interfaces.

You can export the current view to CSV and JSON formats by clicking Export and selecting CSV or JSON. The file is automatically downloaded.

Policy lookup

Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address that matches the source-port and dst-port of the protocol. Use this tool to find out which policy matches specific traffic from a number of policies. After completing the lookup, the matching firewall policy is highlighted on the policy list page.

The Policy Lookup tool has the following requirements:

  • Transparent mode does not support policy lookup function.
  • When executing the policy lookup, you need to confirm whether the relevant route required for the policy work already exists.

Sample configuration

This example uses the TCP protocol to show how policy lookup works:

  1. On a Policy & Objects policy list page, click Policy Lookup and enter the traffic parameters.

  2. Click Search to display the policy lookup results.

Policy views and policy lookup

This topic provides a sample of firewall policy views and firewall policy lookup.

Policy views

In Policy & Objects policy list pages, there are two policy views: Interface Pair View and By Sequence view.

Interface Pair View displays the policies in the order that they are checked for matching traffic, grouped by the pairs of incoming and outgoing interfaces in collapsible sections.

By Sequence displays policies in the order that they are checked for matching traffic without any grouping.

The default display is Interface Pair View. You can switch between the two views except if any or multiple interfaces are applied in the policy. The FortiGate automatically changes the view on the policy list page to By Sequence whenever there is a policy containing any or multiple interfaces as the Source or Destination interface. If the Interface Pair View is grayed out, it is likely that one or more policies have used the any or multiple interfaces.

You can export the current view to CSV and JSON formats by clicking Export and selecting CSV or JSON. The file is automatically downloaded.

Policy lookup

Firewall policy lookup is based on the Source_interfaces/Protocol/Source_Address/Destination_Address that matches the source-port and dst-port of the protocol. Use this tool to find out which policy matches specific traffic from a number of policies. After completing the lookup, the matching firewall policy is highlighted on the policy list page.

The Policy Lookup tool has the following requirements:

  • Transparent mode does not support policy lookup function.
  • When executing the policy lookup, you need to confirm whether the relevant route required for the policy work already exists.

Sample configuration

This example uses the TCP protocol to show how policy lookup works:

  1. On a Policy & Objects policy list page, click Policy Lookup and enter the traffic parameters.

  2. Click Search to display the policy lookup results.