In this post, I will provide an overview of the Flow troubleshooting tool available on FortiGate devices. This tool will enable you to see what is happening to your traffic as it traverses the FortiGate. You will be able to attain information such as policy-id being hit, NATing that is taking place as well as any encryption that occurs.
The output I am showing you in this post is from a FortiGate 80C running FortiOS 5.4.1
We start off by check the current status of debug on the FortiGate, this is done using the command # diag debug info
Lab-FG # diag debug info
debug output: disable
console timestamp: disable
console no user log message: disable
CLI debug level: 3
This will show us whether there are any debugs currently enabled, if so, you can clear them using the command # diag debug reset
Note: After every debug, it’s worth running “diag debug reset” and “diag debug disable” as the debug could still be running, which will take up system memory.
Once previous debugs have been cleared, we want to go ahead and enable debugs; this is achieved by running the following # diag debug enable
Another important step to do is to filter our flow. This will ensure we only receive output for the interesting traffic, that of what we are troubleshooting
Lab-FG # diag debug flow
filter Trace packet with filter.
filter6 Trace packet with IPv6 filter.
trace Start/stop trace.
show Enable/disable display of trace on console.
We can see when typing “diag debug flow ?” we are presented with the above options. We will use “filter” to see further options.
Lab-FG # diag debug flow filter
clear Clear filter.
vd Index of virtual domain.
proto Protocol number.
addr IP address.
saddr Source IP address.
daddr Destination IP address.
sport Source port.
dport Destination port.
negate Inverse filter.
For this demonstration, I will target http traffic to synack.co.uk using an IP of 18.104.22.168 and port 80
Lab-FG # diag debug flow filter daddr 22.214.171.124
Lab-FG # diag debug flow filter dport 80
Now we have enable debug and configured our filters, we need to set the FortiGate to display the flow output on the console. We will also set the flow to show the first 500 traces.
Note: If you don’t log all your console session output, it’s worth enabling it for this flow so you can retrospectively review the output.
Lab-FG # diag debug flow show console enable
Lab-FG # diag debug flow trace start 500
Now below we can see the interesting traffic we determined through the filter:
Lab-FG # id=20085 trace_id=1 func=print_pkt_detail line=4478 msg=”vd-root received a packet(proto=6, 172.16.22.34:17716->126.96.36.199:80) from port1. flag [S], seq 2194730952, ack 0, win 8192″
id=20085 trace_id=1 func=init_ip_session_common line=4629 msg=”allocate a new session-0032ba58″
id=20085 trace_id=1 func=vf_ip4_route_input line=1596 msg=”find a route: flags=00000000 gw-94.x.x.x via wan1”
id=20085 trace_id=1 func=fw_forward_handler line=675 msg=”Allowed by Policy-1: SNAT”
id=20085 trace_id=1 func=__ip_session_run_tuple line=2606 msg=”SNAT 172.16.22.34->94.x.x.x:17716“
I have set some of the noteworthy output to bold. You can see the following output (in order of appearance)
- The original source and destination IPs/ports
- The ingress interface on the FortiGate
- The next hope and egress interface
- The acount (Allowed) and the policy ID, also note that SNAT is present
- The original source and SNATed source address (if DNATs are present, you can also see this within a flow trace)
Note: In reality, you will have a far greater amount of output, I have just pulled 1 trace for this example.
Now we have completed out trace and hopefully got a step closer to solving the issues, we need to disable and reset out debug. This is achieved through the following two commands:
Lab-FG # diag debug disable
Lab-FG # diag debug reset
More FortGate troubleshooting guides, as well as guides for other firewalls/devices will follow soon. For now, thank you for reading!