How Packets are handled by FortiOS

How Packets are handled by FortiOS

To give you idea of what happens to a packet as it makes its way through the FortiGate unit here is a brief overview. This particular trip of the packet is starting on the Internet side of the FortiGate firewall and ends with the packet exiting to the Internal network. An outbound trip would be similar. At any point in the path if the packet is going through what would be considered a filtering process and if fails the filter check the packet is dropped and does not continue any further down the path.

This information is covered in more detail in other in the Troubleshooting chapter of the FortiOS Handbook in the Life of a Packet section.

The incoming packet arrives at the external interface. This process of entering the device is referred to as ingress.

Step #1 – Ingress

1. Denial of Service Sensor

2. IP integrity header checking

3. IPsec connection check

4. Destination NAT

5. Routing

Step #2 – Stateful Inspection Engine

1. Session Helpers

2. Management Traffic

3. SSL VPN

4. User Authentication

5. Traffic Shaping

6. Session Tracking

7. Policy lookup

Step #3 – Security Profiles scanning process

1. Flow-based Inspection Engine

2. IPS

3. Application Control

4. Data Leak Prevention

5. Email Filter

6. Web Filter

7. Anti-virus

8. Proxy-based Inspection Engine

9. VoIP Inspection

10. Data Leak Prevention

11. Email Filter

12. Web Filter

13. Anti-virus

14. ICAP

Step #4 – Egress

1. IPsec

2. Source NAT

3. Routing