How Packets are handled by FortiOS

How Packets are handled by FortiOS

To give you idea of what happens to a packet as it makes its way through the FortiGate unit here is a brief overview. This particular trip of the packet is starting on the Internet side of the FortiGate firewall and ends with the packet exiting to the Internal network. An outbound trip would be similar. At any point in the path if the packet is going through what would be considered a filtering process and if fails the filter check the packet is dropped and does not continue any further down the path.

This information is covered in more detail in other in the Troubleshooting chapter of the FortiOS Handbook in the Life of a Packet section.

The incoming packet arrives at the external interface. This process of entering the device is referred to as ingress.


Step #1 – Ingress

1. Denial of Service Sensor

2. IP integrity header checking

3. IPsec connection check

4. Destination NAT

5. Routing


Step #2 – Stateful Inspection Engine

1. Session Helpers

2. Management Traffic


4. User Authentication

5. Traffic Shaping

6. Session Tracking

7. Policy lookup


Step #3 – Security Profiles scanning process

1. Flow-based Inspection Engine

2. IPS

3. Application Control

4. Data Leak Prevention

5. Email Filter

6. Web Filter

7. Anti-virus

8. Proxy-based Inspection Engine

9. VoIP Inspection

10. Data Leak Prevention

11. Email Filter

12. Web Filter

13. Anti-virus

14. ICAP


Step #4 – Egress

1. IPsec

2. Source NAT

3. Routing

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.