FORTIGATE - Packet Debug Flow
From Wiki.IT-Arts.net
FortiOS 6.2.12 Cookbook / FortiOS 7.4.3 Administration Guide
Quick Example
To stop all other debug and clear the filter, type :
diag debug flow trace stop diag debug flow filter clear
The following example shows the flow trace for a device with an IP address of W.X.Y.Z :
diagnose debug enable diag debug console timestamp enable diagnose debug flow filter addr W.X.Y.Z diagnose debug flow show function-name enable diagnose debug flow trace start 100 diag debug enable
diag debug flow show iprope enable
Show debug messages indicating which policies are checked and eventually matched or not matched with traffic specified in the debug flow filter :
diag debug enable diag debug console timestamp enable diagnose debug flow filter addr W.X.Y.Z ! diag debug flow show iprope enable ! diag debug flow show function-name enable diag debug flow trace start 100 diag debug enable
Diagnose Debug Flow Command
To start flow monitoring with a specific number of packets :
diagnose debug flow trace start <N>
To stop flow tracing at any time :
diagnose debug flow trace stop
To follow packet flow by setting a flow filter:
# diagnose debug flow {filter | filter6} <option>
- Enter filter if your network uses IPv4.
- Enter filter6 if your network uses IPv6.
Replace <option> with one of the following variables:
Variable Description :
addr IPv4 or IPv6 address clear clear filter daddr destination IPv4 or IPv6 address dport destination port negate inverse IPv4 or IPv6 filter port port proto protocol number saddr source address sport source port vd index of virtual domain; -1 matches all
Output Examples
FGT60D4613018571 # 2016-05-27 11:12:19 id=20085 trace_id=1001 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 192.168.1.110:51663->93.184.216.34:80) from internal. flag [S], seq 112318697," 2016-05-27 11:12:19 id=20085 trace_id=1001 func=init_ip_session_common line=4629 msg="allocate a new session-00002d4b" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_dnat_check line=4637 msg="in-[internal], out-[]" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_dnat_tree_check line=834 msg="len=0" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_dnat_check line=4650 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.17.97.3 via wan1" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_fwd_check line=630 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-0" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=5" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-100004 policy-7, ret-no-match, act-accept" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-100004 policy-9, ret-matched, act-accept" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_user_identity_check line=1676 msg="ret-matched" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check line=2051 msg="gnum-4e21, check-f8afc480" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-4e21 policy-0, ret-no-match, act-accept" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-4e21 policy-1, ret-no-match, act-accept" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-4e21 policy-1, ret-matched, act-accept" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=2022 msg="policy-1 is matched, act-accept" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check line=2070 msg="gnum-4e21 check result: ret-matched, act-accept, flag-00200008, flag2-00000000" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=get_new_addr line=2766 msg="find SNAT: IP-172.17.96.32(from IPPOOL), port-51663" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=2022 msg="policy-9 is matched, act-accept" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_fwd_auth_check line=682 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-9" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_reverse_dnat_check line=800 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-0" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=fw_forward_handler line=675 msg="Allowed by Policy-9: AV SNAT" 2016-05-27 11:12:19 id=20085 trace_id=1001 func=av_receive line=262 msg="send to application layer"
Sample output: IPsec (policy-based) id=20085 trace_id=1 msg="vd-root received a packet(proto=1, 10.72.55.240:1->10.71.55.10:8) from internal." id=20085 trace_id=1 msg="allocate a new session-00001cd3" id=20085 trace_id=1 msg="find a route: gw-66.236.56.230 via wan1" id=20085 trace_id=1 msg="Allowed by Policy-2: encrypt" id=20085 trace_id=1 msg="enter IPsec tunnel-RemotePhase1" id=20085 trace_id=1 msg="encrypted, and send to 15.215.225.22 with source 66.236.56.226" id=20085 trace_id=1 msg="send to 66.236.56.230 via intf-wan1“ id=20085 trace_id=2 msg="vd-root received a packet (proto=1, 10.72.55.240:1-1071.55.10:8) from internal." id=20085 trace_id=2 msg="Find an existing session, id-00001cd3, original direction" id=20085 trace_id=2 msg="enter IPsec ="encrypted, and send to 15.215.225.22 with source 66.236.56.226“ tunnel-RemotePhase1" id=20085 trace_id=2 msgid=20085 trace_id=2 msg="send to 66.236.56.230 via intf-wan1"
Usefull Links
- https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/54688/debugging-the-packet-flow
- https://docs.fortinet.com/document/fortigate/6.2.12/cookbook/54688/debugging-the-packet-flow
- https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560
- https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Enable-Policy-Trace-in-Debug-Flow/ta-p/190674
