0 ratings0% found this document useful (0 votes) 544 views3 pagesFortigate Debug Flow and Packet Capture
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content,
claim it here.
Available Formats
Download as PDF or read online on Scribd
HAT's Blog
Where | take notes and share my knowledge and experience
FORTINET
Fortigate Debug Flow and Packet Capture
~ APRIL27, 202] NOVEMBER 3.2022 + HAT + LEAVE A COMMENT
Debug Flow
©. Showrs what CPU is doing, step by stop with the packets. Ia packet is dropped, it shows the reason
© May use for other cases like why a packet is taking a specific route or why a specific NAT IP address is being applied
Steps
1. Define a filter: diagnose debug flow filter
2. Enable debug output: diagnose debug enable
3. Start the trace: diagnose debug flow trace start
4, Stop the trace: diagnose debug flow trace stop
Filter
© addr: IPvd or IPv6 address
© clear: clear filter
© daddr: destination IPv4 or IPv6 address�port: destination port
negate: inverse IPv or IPv6 filter
port: port
proto: protocol number
saddr: source address
sport: source port
‘vd: index of virtual domain; -1 matches all
FortiASIC NP4 or NPS interface pairs
© NP or NP6 that offload traffic will change the packet flow
© Before debugging any NP4 or NP6 interfaces, disable offloading on those interfaces:
© diagnose npu fastpath disable
(© is np4, np6, npdlite, or npélite
Packet Sniffer
From CLI
© diagnose sniffer packet
© if is not specified, sniffer will run forever until Ctrl_C is pressed
© is similar to tcpdump filter: sreldst, host, arp, ip, gre, esp, udp, tcp, port
© level of verbosity
(© 1-print header of packets
© 2~print header and data from IP of packets
© 3~print header and data from Ethernet of packets
© 4—print header of packets with interface name
©: format of timestamp
© a:absohute UTC time, yyyy-mm-dd hh:mm:ss.ms
© absolute LOCAL time, yyyy-mm-dd hh:mm:ss.ms
© otherwise: relative tothe start of sniffing, ssims
Example:
© diagnose sniffer packet any ‘port 443° 4
© diagnose sniffer packet internal ‘src host 192.168.0.1 and dst host 192.168.0.2' 1
© diagnose sniffer packet external ‘udp and port 1812 and host fortil and (Forti2 or forti3)' 40a
© diag sniffer packet internal ‘host 192.168.0.1 and (icmp or tep)' I�From GUI
© Network > Packet Capture
Reference:
© Packet Capture on FortiOS GUI hitpslikh fortinetcom/khidocumentLink do?externallD-FD45907
{hitps://kb fortinet.conykb/documentL ink do?externallD=FD45907)
© ltpsuikb fortine! com/kb/documentl ink do?externallD-11186 (hiipsuikb fortinetcom/kb/document] ink, do?extermallD=11186)
© hitps://kb fortinet com/kb/documentL ink do?popup=truetexternallD=FD3N038&languageld=
(kb fortinet,com/kb/document] ink. do? popup=tnuescextemnallD=FD300384languageld-)
{hifps://docs fortinet.com/documentfortigate/7 0.O/administration-guide/680228/performing.a-snifer-trace-li-and-packet-capture)
© higpsil/does fortinet.com/documentvfortigatels 2.3/cookbook/54688/debusging:-the-packet flaw
{hitps://docs fortinet com/documentifortigate/6.2.3/cookbook/54688 debugging. the-packet-flow)
© hispss/community fortinet.com/t5/FortiGate/Tzoubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/1925602
sexternallD-FD30038élanguageld=‘popuptrue (hitps//community.fortinet com/t5/FartiGate/ Troubleshooting. Tip First steps.
troubleshoot-connectivityta-p/192560?externallD=FD30038.languageld=&popup=true)
© Convert Fortinet Packet sniffer to wireshark file: htinsJ/github.com/ondrejholesek/sniftran (hitps!/github,com/ondrefholece’/snifiran)
+ DEBUG FLOW, FORTIGATE DEBUG FLOW, FORTIGATE PACKET CAPTURE, FORTIGATE PACKET SNIFFER, PACKET CAPTURE,
PACKET SNIFFER
