How to run a debug on a Fortinet firewall

On 25 February 2011, in Fortinet, Pare-Feux, by Himselff

Exercise 5 Debug Flow

1 From the CLI, type the following command to clear the session table:

diag sys session clear

If connecting to the CLI using SSH or Telnet, a log in will be required.

2 Type the CLI commands shown below to configure the debug flow to trace the route selection and session establishment for an HTTP connection to www.fortinet.com.

Use nslookup to confirm the address for www.fortinet.com.

Enter the following commands:

diag debug enable

diag debug flow filter addr

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow trace start 100

3 From a web browser connect to the following URL and observe the debug flow trace.

http://www.fortinet.com

Depending on the FortiGate model being used, the output displayed may vary slightly.

SYN packet received:

id=36870 trace_id=1 func=resolve_ip_tuple_fast line=3395 msg=”vd-root received a packet(proto=6, 192.168.1.110:1849->208.70.202.225:80) from internal.”

SYN sent and a new session is allocated:

id=36870 trace_id=1 func=resolve_ip_tuple line=3522 msg=”allocate a new session-00000483″

Lookup for next-hop gateway address:

id=36870 trace_id=1 func=vf_ip4_route_input line=1595 msg=”find a route: gw-192.168.3.254 via wan1″

Source NAT, lookup next available port:

id=36870 trace_id=1 func=get_new_addr line=1615 msg=”find SNAT: IP-192.168.3.10, port-44977″

Matched firewall policy. Check to see which policy this session matches:

id=36870 trace_id=1 func=fw_forward_handler line=463 msg=”Allowed by Policy-1: SNAT”

Apply source NAT:

id=36870 trace_id=1 func=__ip_session_run_tuple line=1840 msg=”SNAT 192.168.1.110->192.168.3.10:44977″

SYN ACK received:

id=36870 trace_id=2 func=resolve_ip_tuple_fast line=3395 msg=”vd-root received a packet(proto=6, 208.70.202.225:80->192.168.3.10:44977) from wan1.”

Found existing session ID. Identified as the reply direction:

id=36870 trace_id=2 func=resolve_ip_tuple_fast line=3433 msg=”Find an existing session, id-00000483, reply direction”

Apply destination NAT to inverse source NAT action:

id=36870 trace_id=2 func=__ip_session_run_tuple line=1854 msg=”DNAT 192.168.3.10:44977->192.168.1.110:1849″

Lookup for next-hop gateway address for reply traffic:

id=36870 trace_id=2 func=vf_ip4_route_input line=1595 msg=”find a route: gw-192.168.1.110 via internal”

ACK received:

id=36870 trace_id=3 func=resolve_ip_tuple_fast line=3395 msg=”vd-root received a packet(proto=6, 192.168.1.110:1849->208.70.202.225:80) from internal.”

Match existing session in the original direction:

id=36870 trace_id=3 func=resolve_ip_tuple_fast line=3433 msg=”Find an existing session, id-00000483, original direction”

Apply source NAT:

id=36870 trace_id=3 func=ip_session_run_all_tuple line=4378 msg=”SNAT 192.168.1.110->192.168.3.10:44977″

Receive data from client:

id=36870 trace_id=4 func=resolve_ip_tuple_fast line=3395 msg=”vd-root received a packet(proto=6, 192.168.1.110:1849->208.70.202.225:80) from internal.”

Match existing session in the original direction:

id=36870 trace_id=4 func=resolve_ip_tuple_fast line=3433 msg=”Find an existing session, id-00000483, original direction”

Apply source NAT:

id=36870 trace_id=4 func=ip_session_run_all_tuple line=4378 msg=”SNAT 192.168.1.110->192.168.3.10:44977″

Receive data from server:

id=36870 trace_id=5 func=resolve_ip_tuple_fast line=3395 msg=”vd-root received a packet(proto=6, 208.70.202.225:80->192.168.3.10:44977) from wan1.”

Match existing session in reply direction:

id=36870 trace_id=5 func=resolve_ip_tuple_fast line=3433 msg=”Find an existing s ession, id-00000483, reply direction”

Apply destination NAT to inverse source NAT action:

id=36870 trace_id=5 func=ip_session_run_all_tuple line=4390 msg=”DNAT 192.168.3.10:44977->192.168.1.110:1849″

4 Enter the following command to disable the debug flow trace:

diag debug flow trace stop

5 Disable the special-web policy.

Tagged with:  

Comments are closed.