How packets are handled by FortiOS

How packets are handled by FortiOS

To give you idea of what happens to a packet as it makes its way through the FortiGate unit here is a brief overview. This particular trip of the packet is starting on the Internet side of the FortiGate firewall and ends with the packet exiting to the Internal network. An outbound trip would be similar. At any point in the path if the packet is going through what would be considered a filtering process and if fails the filter check the packet is dropped and does not continue any further down the path.

This information is covered in more detail in other in the Troubleshooting chapter of the FortiOS Handbook in the Life of a Packet section.

The incoming packet arrives at the external interface. This process of entering the device is referred to as ingress.

Step #1 – Ingress

  1. Denial of Service Sensor
  2. IP integrity header checking
  3. Interfaces and zones
  4. IPsec connection check
  5. Destination NAT
  6. Routing

Step #2 – Stateful inspection engine

  1. Session Helpers
  2. Management Traffic
  3. SSL VPN
  4. User Authentication
  5. Traffic Shaping
  6. Session Tracking
  7. Policy lookup

Step #3 – Security profiles scanning process

  1. Flow-based Inspection Engine
  2. IPS
  3. Application Control
  4. Data Leak Prevention
  5. Email Filter
  6. Web Filter
  7. Anti-virus
  8. Proxy-based Inspection Engine
  9. VoIP Inspection
  10. Data Leak Prevention
  11. Email Filter
  12. Web Filter
  13. Anti-virus
  14. ICAP

Step #4 – Egress

  1. IPsec
  2. Source NAT
  3. Routing

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.