July 21, 2018

FortiGate :: Flow Diagnostics

(Last Updated On: 14th September 2016)

In this post, I will provide an overview of the Flow troubleshooting tool available on FortiGate devices. This tool will enable you to see what is happening to your traffic as it traverses the FortiGate. You will be able to attain information such as policy-id being hit, NATing that is taking place as well as any encryption that occurs.

The output I am showing you in this post is from a FortiGate 80C running FortiOS 5.4.1

We start off by check the current status of debug on the FortiGate, this is done using the command # diag debug info

Lab-FG # diag debug info
debug output: disable
console timestamp: disable
console no user log message: disable
CLI debug level: 3

This will show us whether there are any debugs currently enabled, if so, you can clear them using the command # diag debug reset
Note: After every debug, it’s worth running “diag debug reset” and “diag debug disable” as the debug could still be running, which will take up system memory.

Once previous debugs have been cleared, we want to go ahead and enable debugs; this is achieved by running the following # diag debug enable

Another important step to do is to filter our flow. This will ensure we only receive output for the interesting traffic, that of what we are troubleshooting

Lab-FG # diag debug flow
filter    Trace packet with filter.
filter6  Trace packet with IPv6 filter.
trace    Start/stop trace.
show    Enable/disable display of trace on console.

We can see when typing “diag debug flow ?” we are presented with the above options. We will use “filter” to see further options.

Lab-FG # diag debug flow filter
clear     Clear filter.
vd          Index of virtual domain.
proto    Protocol number.
addr      IP address.
saddr    Source IP address.
daddr    Destination IP address.
port       port
sport     Source port.
dport    Destination port.
negate  Inverse filter.

For this demonstration, I will target http traffic to synack.co.uk using an IP of 64.37.49.183 and port 80

Lab-FG # diag debug flow filter daddr 64.37.49.183
Lab-FG # diag debug flow filter dport 80

Now we have enable debug and configured our filters, we need to set the FortiGate to display the flow output on the console. We will also set the flow to show the first 500 traces.
Note: If you don’t log all your console session output, it’s worth enabling it for this flow so you can retrospectively review the output.

Lab-FG # diag debug flow show console enable
Lab-FG # diag debug flow trace start 500

Now below we can see the interesting traffic we determined through the filter:

Lab-FG # id=20085 trace_id=1 func=print_pkt_detail line=4478 msg=”vd-root received a packet(proto=6, 172.16.22.34:17716->64.37.49.183:80) from port1. flag [S], seq 2194730952, ack 0, win 8192″
id=20085 trace_id=1 func=init_ip_session_common line=4629 msg=”allocate a new session-0032ba58″
id=20085 trace_id=1 func=vf_ip4_route_input line=1596 msg=”find a route: flags=00000000 gw-94.x.x.x via wan1
id=20085 trace_id=1 func=fw_forward_handler line=675 msg=”Allowed by Policy-1: SNAT”
id=20085 trace_id=1 func=__ip_session_run_tuple line=2606 msg=”SNAT 172.16.22.34->94.x.x.x:17716

I have set some of the noteworthy output to bold. You can see the following output (in order of appearance)

  1. The original source and destination IPs/ports
  2. The ingress interface on the FortiGate
  3. The next hope and egress interface
  4. The acount (Allowed) and the policy ID, also note that SNAT is present
  5. The original source and SNATed source address (if DNATs are present, you can also see this within a flow trace)

Note: In reality, you will have a far greater amount of output, I have just pulled 1 trace for this example.

Now we have completed out trace and hopefully got a step closer to solving the issues, we need to disable and reset out debug. This is achieved through the following two commands:

Lab-FG # diag debug disable
Lab-FG # diag debug reset

More FortGate troubleshooting guides, as well as guides for other firewalls/devices will follow soon. For now, thank you for reading!

Regards,

Jake

Previous «
Next »

Jake is a security engineer working in West Yorkshire. He has experience with various firewall vendors including FortiGate, Check Point, Cisco and Palo Alto.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: