Menu

Fortigate Debug

there are various of debug methods on a fortigate firewall depending on the issue we're facing.
i like to work mostly with the cli for troubleshooting network issues.

the most basic debugging tool is the sniffer, with this we can see some info about a packet, such as source and destination ip address, port and type of packet.
usage : FGT # diagnose sniffer packet "interface" 'filter'
to make a broader search use "any" for interface,
filter may be host ip, port, protocol, or all at once.

for example:

FGT # diagnose sniffer packet "wan1" 'port 443'
interfaces=[wan1]
filters=[port 443]
2.040640 1.1.1.1.52539 -> 2.2.2.2.443: syn 315884350
2.040873 2.2.2.2.443 -> 1.1.1.1.52539: syn 476312974 ack 315884351
2.041574 1.1.1.1.52539 -> 2.2.2.2.443: ack 476312975
2.788504 1.1.1.1.52539 -> 2.2.2.2.443: fin 315884351 ack 476312975
2.788622 2.2.2.2.443 -> 1.1.1.1.52539: ack 315884352
2.788775 2.2.2.2.443 -> 1.1.1.1.52539: fin 476312975 ack 315884352
2.789482 1.1.1.1.52539 -> 2.2.2.2.443: ack 476312976
In here i opened a telnet seassion from 1.1.1.1 to 2.2.2.2 (the ip of wan1) on port 443.

if this does not provide enough information there is the option of the flow debug, it gives you a full view of the packet

usage:

FGT # diagnose debug reset
FGT # diagnose debug en
FGT # diagnose debug flow filter dport 443
FGT # diagnose debug flow show function-name en
FGT # diagnose debug flow show console en
FGT # diagnose debug flow trace start 100
again same thing for the filter.
to make sure it will not be too much info at once use the "trace show" it will limit the output.


for example:

FGT # diagnose debug reset
FGT # diagnose debug en
FGT # diagnose debug flow filter port 443
FGT # diagnose debug flow show function-name en
FGT # diagnose debug flow show console en
FGT # diagnose debug flow trace start 100

id=20085 trace_id=1 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 1.1.1.1:56819->2.2.2.2:443) from wan1."
id=20085 trace_id=1 func=resolve_ip_tuple line=2908 msg="allocate a new session-001fce8c"
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 1.1.1.1:56819->2.2.2.2:443) from wan1."
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=2836 msg="Find an existing session, id-001fce8c, original direction"
id=20085 trace_id=3 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 1.1.1.1:56819->2.2.2.2:443) from wan1."
id=20085 trace_id=3 func=resolve_ip_tuple_fast line=2836 msg="Find an existing session, id-001fce8c, original direction"
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=2809 msg="vd-root received a packet(proto=6, 1.1.1.1:56819->2.2.2.2:443) from wan1."
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=2836 msg="Find an existing session, id-001fce8c, original direction"
id=20085 trace_id=5 func=ipv4_fast_cb line=56 msg="enter fast path"


in both times all i did was to watch all traffic on port 443 and issued a telnet to capture it.

there is also the option of debugging traffic bassed on firewalls daemon, for example - a new vpn tunnel cant seem to start, in this case we need to debug the application and not the traffic,
usage: FGT # diagnose debug application [application name] [ debug level]


for example:

FGT # diagnose debug application ike 10
...

ike 0:vpn-test:355:vpn-test:13619: trying
ike 0:vpn-test:355:vpn-test:13619: matched phase2
ike 0:vpn-test:355:vpn-test:13619: autokey
ike 0:vpn-test:355:vpn-test:13619: my proposal:
ike 0:vpn-test:355:vpn-test:13619: proposal id = 1:
ike 0:vpn-test:355:vpn-test:13619:   protocol id = IPSEC_ESP:
ike 0:vpn-test:355:vpn-test:13619:   PFS DH group = 5
ike 0:vpn-test:355:vpn-test:13619:      trans_id = ESP_DES
ike 0:vpn-test:355:vpn-test:13619:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:vpn-test:355:vpn-test:13619:         type = AUTH_ALG, val=SHA1
ike 0:vpn-test:355:vpn-test:13619: incoming proposal:
ike 0:vpn-test:355:vpn-test:13619: proposal id = 1:
ike 0:vpn-test:355:vpn-test:13619:   protocol id = IPSEC_ESP:
ike 0:vpn-test:355:vpn-test:13619:   PFS DH group = 5
ike 0:vpn-test:355:vpn-test:13619:      trans_id = ESP_3DES
ike 0:vpn-test:355:vpn-test:13619:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:vpn-test:355:vpn-test:13619:         type = AUTH_ALG, val=SHA1
ike 0:vpn-test:355:vpn-test:13619:      trans_id = ESP_AES (key_len = 128)
ike 0:vpn-test:355:vpn-test:13619:      encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:vpn-test:355:vpn-test:13619:         type = AUTH_ALG, val=SHA1
ike 0:vpn-test:355:vpn-test:13619: negotiation failure
...
and we see clearly that it's negotiation failure based on wrong encryption scheme on the the peer.


This should cover about 90% of what you need for troubleshooting a problem with a forti firewall.

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

0 Comments:

Post a Comment