Troubleshooting FortiGate command line check debugging trace sniffer
- Angelo Schalley
- Nov, 10, 2016
- Fortigate/Fortinet, Networking, security
- 2 Comments
Login via ssh.
running vdom’s : config vdom first
Troubleshooting examples for debugging a Fortigate :
Reverse path check, iprobe, policy check, etc …
DNS port only :
diag debug reset
diag debug flow filter clear
diag debug flow filter port 53
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000
Source address and port 80 only :
diag debug reset
diag debug flow filter clear
diag debug flow filter saddr 192.168.6.53
diag debug flow filter port 80
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000
Destination address and port 443 only :
diag debug reset
diag debug flow filter clear
diag debug flow filter daddr 192.168.5.64
diag debug flow filter port 443
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000
Combination source and destination address, no source port :
diag debug reset
diag debug flow filter clear
diag debug flow filter saddr 10.5.200.7
diag debug flow filter daddr 192.168.5.4
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000
You can play arround with above settings …
don’t forget to DISABLE the trace after every diag debug to clear everything :
diag deb flow trace stop
diag deb dis
Troubleshooting routing :
diagnose ip router ospf level info
diagnose ip router ospf all enable
diag debug enable
> set level to none to clear afterwards …
Session troubleshooting :
Example :
Source and destination :
diagnose sniffer packet any ‘host 8.8.8.8 and 10.10.138.2’ 4 0 a
Source or destination and port :
diagnose sniffer packet any ‘host 8.8.8.8 and port 53’ 4 0 a
output :
interfaces=[any]
filters=[host 8.8.8.8 and port 53]
16 packets received by filter
0 packets dropped by kernel
How to clear sessions :
example source + destination clear :
diagnose sys session filter src 192.168.1.110 (filter on source address, use dst for destination)
or
diagnose sys session filter dport 80 (filter on port 80)
diagnose sys session filter clear (clear filter)
diagnose sys session list (list all sessions that match the above filter)
diagnose sys session clear (clear all sessions that match the above filter)
NOTE : if you don’t specify a filter ALL sessions will be cleared on the firewall, users will lose there session with app’s, websites, etc …
Clear arp cache
execute clear system arp table
2 Responses so far.
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
Categories
Hi, if i want to view traffic for source address, no source port. Then do i have to enter all these commands: diag debug reset
diag debug flow filter clear
diag debug flow filter saddr 10.5.200.7
diag debug flow filter daddr 192.168.5.4
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000
or i can just enter diag debug flow filter saddr x.x.x.x —and be able to view the connection for the source address ? coz im entering this command and it returns nothing. – no output
Hello,
you should be able to do that like you stated. If you use the daddr option instead ? Do you have the same result ?
Angelo