FORTIGATE - Packet Debug Flow

From Wiki.IT-Arts.net
Revision as of 12:26, 20 August 2024 by Admin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


FortiOS 6.2.12 Cookbook / FortiOS 7.4.3 Administration Guide

Quick Example

To stop all other debug and clear the filter, type :

diag debug flow trace stop
diag debug flow filter clear

The following example shows the flow trace for a device with an IP address of W.X.Y.Z :

diagnose debug enable
diag debug console timestamp enable
diagnose debug flow filter addr W.X.Y.Z
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diag debug enable


diag debug flow show iprope enable

Show debug messages indicating which policies are checked and eventually matched or not matched with traffic specified in the debug flow filter :

diag debug enable
diag debug console timestamp enable
diagnose debug flow filter addr W.X.Y.Z
!
diag debug flow show iprope enable
!
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable


Diag Debug Flow Step By Step

1) #diagnose debug disable

diag debug disable

2) #diagnose debug flow trace stop

diag debug flow trace stop

3) #diagnose debug flow filter clear

diag debug flow filter clear

4) #diagnose debug reset

diag debug reset

5) #diagnose debug flow filter addr x.x.x.x

diag debug flow filter addr

6) #diagnose debug flow show console enable

diag debug flow show console enable

7) #diagnose debug flow show function-name enable

diag debug flow show function-name enable

8) #diagnose debug console timestamp enable

diag debug console timestamp enable

9) #diagnose debug flow trace start 999

diag debug flow trace start 999

10) #diagnose debug enable

diag debug enable

Run diag debug disable when done #diagnose debug disable

diag debug disable


Diagnose Debug Flow Command

To start flow monitoring with a specific number of packets :

diagnose debug flow trace start <N>

To stop flow tracing at any time :

diagnose debug flow trace stop

To follow packet flow by setting a flow filter:

# diagnose debug flow {filter | filter6} <option>
  • Enter filter if your network uses IPv4.
  • Enter filter6 if your network uses IPv6.

Replace <option> with one of the following variables:

Variable Description :

addr		IPv4 or IPv6 address
clear		clear filter
daddr		destination IPv4 or IPv6 address
dport		destination port
negate		inverse IPv4 or IPv6 filter
port		port
proto		protocol number
saddr		source address
sport		source port
vd		index of virtual domain; -1 matches all


Output Examples

FGT60D4613018571 # 2016-05-27 11:12:19 id=20085 trace_id=1001 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 192.168.1.110:51663->93.184.216.34:80) from internal. flag [S], seq 112318697,"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=init_ip_session_common line=4629 msg="allocate a new session-00002d4b"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_dnat_check line=4637 msg="in-[internal], out-[]"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_dnat_tree_check line=834 msg="len=0"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_dnat_check line=4650 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.17.97.3 via wan1"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_fwd_check line=630 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-0"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=5"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-100004 policy-7, ret-no-match, act-accept"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-100004 policy-9, ret-matched, act-accept"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_user_identity_check line=1676 msg="ret-matched"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check line=2051 msg="gnum-4e21, check-f8afc480"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-4e21 policy-0, ret-no-match, act-accept"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-4e21 policy-1, ret-no-match, act-accept"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=1841 msg="checked gnum-4e21 policy-1, ret-matched, act-accept"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=2022 msg="policy-1 is matched, act-accept"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check line=2070 msg="gnum-4e21 check result: ret-matched, act-accept, flag-00200008, flag2-00000000"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=get_new_addr line=2766 msg="find SNAT: IP-172.17.96.32(from IPPOOL), port-51663"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=__iprope_check_one_policy line=2022 msg="policy-9 is matched, act-accept"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_fwd_auth_check line=682 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-9"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=iprope_reverse_dnat_check line=800 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-0"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=fw_forward_handler line=675 msg="Allowed by Policy-9: AV SNAT"
2016-05-27 11:12:19 id=20085 trace_id=1001 func=av_receive line=262 msg="send to application layer"


Sample output: IPsec (policy-based)

id=20085 trace_id=1 msg="vd-root received a packet(proto=1, 10.72.55.240:1->10.71.55.10:8) from internal."
id=20085 trace_id=1 msg="allocate a new session-00001cd3"
id=20085 trace_id=1 msg="find a route: gw-66.236.56.230 via wan1"
id=20085 trace_id=1 msg="Allowed by Policy-2: encrypt"
id=20085 trace_id=1 msg="enter IPsec tunnel-RemotePhase1"
id=20085 trace_id=1 msg="encrypted, and send to 15.215.225.22 with source 66.236.56.226"
id=20085 trace_id=1 msg="send to 66.236.56.230 via intf-wan1“
id=20085 trace_id=2 msg="vd-root received a packet (proto=1, 10.72.55.240:1-1071.55.10:8) from internal."
id=20085 trace_id=2 msg="Find an existing session, id-00001cd3, original direction"
id=20085 trace_id=2 msg="enter IPsec ="encrypted, and send to 15.215.225.22 with source 66.236.56.226“ tunnel-RemotePhase1"
id=20085 trace_id=2 msgid=20085 trace_id=2 msg="send to 66.236.56.230 via intf-wan1"


Usefull Links