Troubleshooting FortiGate command line check debugging trace sniffer

Troubleshooting FortiGate command line check debugging trace sniffer

Login via ssh.
running vdom’s : config vdom first

Troubleshooting examples for debugging a Fortigate :

Reverse path check, iprobe, policy check, etc …

DNS port only :

diag debug reset
diag debug flow filter clear
diag debug flow filter port 53
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000

Source address and port 80 only :

diag debug reset
diag debug flow filter clear
diag debug flow filter saddr 192.168.6.53
diag debug flow filter port 80
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000

Destination address and port 443 only :

diag debug reset
diag debug flow filter clear
diag debug flow filter daddr 192.168.5.64
diag debug flow filter port 443
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000

Combination source and destination address, no source port :

diag debug reset
diag debug flow filter clear
diag debug flow filter saddr 10.5.200.7
diag debug flow filter daddr 192.168.5.4
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000

You can play arround with above settings …

don’t forget to DISABLE the trace after every diag debug to clear everything :

diag deb flow trace stop
diag deb dis

Troubleshooting routing :

diagnose ip router ospf level info
diagnose ip router ospf all enable
diag debug enable

> set level to none to clear afterwards …

Session troubleshooting :

Example :

Source and destination :

diagnose sniffer packet any ‘host 8.8.8.8 and 10.10.138.2’ 4 0 a

Source or destination and port :

diagnose sniffer packet any ‘host 8.8.8.8 and port 53’ 4 0 a

output :

interfaces=[any]
filters=[host 8.8.8.8 and port 53]

16 packets received by filter
0 packets dropped by kernel

How to clear sessions :

example source + destination clear :

diagnose sys session filter src 192.168.1.110 (filter on source address, use dst for destination)
or
diagnose sys session filter dport 80 (filter on port 80)

diagnose sys session filter clear (clear filter)

diagnose sys session list (list all sessions that match the above filter)

diagnose sys session clear (clear all sessions that match the above filter)

NOTE : if you don’t specify a filter ALL sessions will be cleared on the firewall, users will lose there session with app’s, websites, etc …

Clear arp cache

execute clear system arp table

2 Responses so far.

  1. Hi, if i want to view traffic for source address, no source port. Then do i have to enter all these commands: diag debug reset
    diag debug flow filter clear
    diag debug flow filter saddr 10.5.200.7
    diag debug flow filter daddr 192.168.5.4
    diag debug flow show console enable
    diag debug flow show iprope enable
    diag debug flow show function-name enable
    diag debug console timestamp enable
    diag debug enable
    diag debug flow trace start 1000

    or i can just enter diag debug flow filter saddr x.x.x.x —and be able to view the connection for the source address ? coz im entering this command and it returns nothing. – no output

  2. Hello,

    you should be able to do that like you stated. If you use the daddr option instead ? Do you have the same result ?

    Angelo

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × three =

This site uses Akismet to reduce spam. Learn how your comment data is processed.