Home > Uncategorized > Fortigate: Debugging on a Fortigate

Fortigate: Debugging on a Fortigate

see: Fortigate Troubleshooting Guide

Enabling debuggery:

diag debug enable
diag debug console timestamp enable

diag debug flow follows the flow through the firewall:

# diag debug flow filter
addr      ip address
clear     clear filter
daddr     dest ip address
dport     destination port
negate    inverse filter
port      port
proto     protocol number
saddr     source ip address
sport     source port
vd        index of virtual domain, -1 matches all
# diag debug flow filter daddr
xxx.xxx.xxx.xxx    dest ip (from)
# diag debug flow filter daddr 192.168.103.248
# diag debug flow show function-name enable
# diag debug flow trace start 50

diag sniffer is a packet capture (pcap):

diag sniffer packet any ‘host 192.168.17.130'

diag debug app allows access to the various processes debuggery:

diag debug app ike -1 #for VPN tomfoolery

Here’s another example

diag debug enable
diag debug console timestamp enable
diag debug flow filter clear
diag debug flow filter proto 1 #[protocol is icmp]
diag debug flow show console enable
diag debug flow trace start 100

Kill it with fire:

diag debug flow show console disable
diag debug flow trace stop
diag debug flow filter clear
diag debug disable
diag debug reset
Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: