Posts tagged: debug

Jul 08 2011

Logging and Troubleshooting with FortiGate 100A

I needed a way to effectively troubleshoot a given traffic issue on our FortiGate 100A device and the out of the box configuration didn’t have this configured. This can be accomplish using the web GUI or via an SSH session, and since I already have SSH configure I went with this option for most of the configuration.

Step 1: Enable Logging

SSH to the device with your favorite client and issue the following commands:

FG100A # show firewall policy (this command will display the details for all policies)

edit 1
set srcintf “internal”
set dstintf “wan1″
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set logtraffic disable
set nat enable

next
end

Once you know which policy you would like to troubleshoot it’s now time to enable logging

FG100A # edit 1
(to edit policy id 1)

FG100A (1) # set logtraffic enable (to enable logging for this policy)

Once you are finish you can always review your changes on the GUI if you would to do so click on Firewall tab –> Policy –> select the policy in question and click edit on the top –> Then click the check box for “Log Violation Traffic”

Next, click on the “Log&Report” tab –>Log Setting –> and check off “Local Logging & Archiving”, “Memory” –> Minimum log level “Information” –> check off “Enable IPS Packet Archive”

Apply settings!

Step 2:  Diagnose Sniffer Packet

Launch another SSH session and issue the follow command just makes sure you put the filter expressions in quotes:

diag sniffer packet <interface> <’filter’> <verbose> <count>

Simple test do a continuous ping from your workstation to an IP on the internet and then issue the command below and keep the windows open:

diag sniff packet any ‘host <workstation ip> and icmp’ 4

Step 2:  Enabling debug mode

Lastly in a another SSH window enable debug mode, set the source IP address and watch as a series of useful information flows across the console to help you narrow down the problem at hand.

diag debug enable
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow filter proto 1
(protocol 1 is for icmp)

diag debug flow filter addr <workstation ip>
diag debug flow trace start 400
(400 is a random number it’ the number of traces)

To disable the debug when you are finish run the following command:
diag debug disable

References:

http://docs.fortinet.com/fgt/techdocs/fortigate-admin.pdf

http://docs.fortinet.com/fgt/techdocs/fortigate-cli.pdf

Alibi3col theme by Themocracy

css.php