FORTIGATE - Packet Debug Flow: Difference between revisions
From Wiki.IT-Arts.net
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Category:Post-It]] | [[Category:Post-It]] | ||
FortiOS 6.2.12 Cookbook / FortiOS 7.4.3 Administration Guide | |||
== Quick Example == | == Quick Example == | ||
| Line 13: | Line 15: | ||
<nowiki> | <nowiki> | ||
diagnose debug enable | diagnose debug enable | ||
diag debug console timestamp enable | |||
diagnose debug flow filter addr W.X.Y.Z | diagnose debug flow filter addr W.X.Y.Z | ||
diagnose debug flow show function-name enable | diagnose debug flow show function-name enable | ||
diagnose debug flow trace start 100</nowiki> | diagnose debug flow trace start 100 | ||
diag debug enable</nowiki> | |||
== diag debug flow show iprope enable == | |||
Show debug messages indicating which policies are checked and eventually matched or not matched with traffic specified in the debug flow filter : | |||
<nowiki> | |||
diag debug enable | |||
diag debug console timestamp enable | |||
diagnose debug flow filter addr W.X.Y.Z | |||
! | |||
diag debug flow show iprope enable | |||
! | |||
diag debug flow show function-name enable | |||
diag debug flow trace start 100 | |||
diag debug enable</nowiki> | |||
| Line 78: | Line 99: | ||
== Usefull Links == | == Usefull Links == | ||
* https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/54688/debugging-the-packet-flow | * https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/54688/debugging-the-packet-flow | ||
* https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/54688/debugging-the-packet-flow | * https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/54688/debugging-the-packet-flow | ||
* https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560 | * https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560 | ||
* https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Enable-Policy-Trace-in-Debug-Flow/ta-p/190674 | |||
Revision as of 13:39, 18 August 2024
FortiOS 6.2.12 Cookbook / FortiOS 7.4.3 Administration Guide
Quick Example
To stop all other debug and clear the filter, type :
diag debug flow trace stop diag debug flow filter clear
The following example shows the flow trace for a device with an IP address of W.X.Y.Z :
diagnose debug enable diag debug console timestamp enable diagnose debug flow filter addr W.X.Y.Z diagnose debug flow show function-name enable diagnose debug flow trace start 100 diag debug enable
diag debug flow show iprope enable
Show debug messages indicating which policies are checked and eventually matched or not matched with traffic specified in the debug flow filter :
diag debug enable diag debug console timestamp enable diagnose debug flow filter addr W.X.Y.Z ! diag debug flow show iprope enable ! diag debug flow show function-name enable diag debug flow trace start 100 diag debug enable
Diagnose Debug Flow Command
To start flow monitoring with a specific number of packets :
diagnose debug flow trace start <N>
To stop flow tracing at any time :
diagnose debug flow trace stop
To follow packet flow by setting a flow filter:
# diagnose debug flow {filter | filter6} <option>
- Enter filter if your network uses IPv4.
- Enter filter6 if your network uses IPv6.
Replace <option> with one of the following variables:
Variable Description :
addr IPv4 or IPv6 address clear clear filter daddr destination IPv4 or IPv6 address dport destination port negate inverse IPv4 or IPv6 filter port port proto protocol number saddr source address sport source port vd index of virtual domain; -1 matches all
Example
Sample output: IPsec (policy-based) id=20085 trace_id=1 msg="vd-root received a packet(proto=1, 10.72.55.240:1->10.71.55.10:8) from internal." id=20085 trace_id=1 msg="allocate a new session-00001cd3" id=20085 trace_id=1 msg="find a route: gw-66.236.56.230 via wan1" id=20085 trace_id=1 msg="Allowed by Policy-2: encrypt" id=20085 trace_id=1 msg="enter IPsec tunnel-RemotePhase1" id=20085 trace_id=1 msg="encrypted, and send to 15.215.225.22 with source 66.236.56.226" id=20085 trace_id=1 msg="send to 66.236.56.230 via intf-wan1“ id=20085 trace_id=2 msg="vd-root received a packet (proto=1, 10.72.55.240:1-1071.55.10:8) from internal." id=20085 trace_id=2 msg="Find an existing session, id-00001cd3, original direction" id=20085 trace_id=2 msg="enter IPsec ="encrypted, and send to 15.215.225.22 with source 66.236.56.226“ tunnel-RemotePhase1" id=20085 trace_id=2 msgid=20085 trace_id=2 msg="send to 66.236.56.230 via intf-wan1"
Usefull Links
- https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/54688/debugging-the-packet-flow
- https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/54688/debugging-the-packet-flow
- https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560
- https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Enable-Policy-Trace-in-Debug-Flow/ta-p/190674
