Monday, 7 October 2013

Fortinet - FortiOS Debug Flow

Overview


This blog post will guide you through using the debug flow tool and analyzing its output.  Debug flow will help you validate that selective traffic is passing through the FortiGate, and what policy and gateway are being used. This will help diagnose traffic flow concerns.

OS Version

FortiOS: v5.0.x | v4.3.x

Fortinet CLI Configuration

Debug Flow Syntax

The following debug lines can be used in any combination. For the sake of demonstrating the possible options that can be used, I have listed the most common ones.


Line001: diag debug dis
Line002: diag debug reset
Line003: diag debug flow filter clear
Line004: diag debug flow sh con en
Line005: diag debug flow sh func en
Line006: diag debug flow filter addr 192.168.1.1
Line007: diag debug flow filter saddr 192.168.1.1
Line008: diag debug flow filter daddr 192.168.1.1
Line009: diag debug flow filter port 53
Line010: diag debug flow filter proto 1
Line011: diag debug flow trace start 5000
Line012: diag debug en

Line 1 to 3 : Used to clear the debugger and remove all prior configured debugs.
Line 4: Used to show the console output.
Line 5: Used to show the function in the debug output.
Line 6: Filters the flow of data based on the defined IP. This will be source or destination IP.
Line 7: Filters the flow of data based on the defined IP. This will be based on the flow originating. based on the source.
Line 8: Filters the flow of data based on the defined IP. This will be based on the flow destination.
Line 9: Filters the flow of data based on the source or destination Port.
Line 10: Filters the flow of data based on the protocol type. (eg: 1=ICMP. 6=TCP).
Line 11: Sets the number of lines that will be outputted on the debug flow.
Line 12: Enables the debug flow.

Reference site for Protocol numbers:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml


Debug Flow Example

The following example is set to filter ICMP traffic destined to 8.8.4.4.




















I initiated a ping from my workstation to 8.8.4.4. The following is the output.


Analyzing the Debug Flow Example 1

The following is one session segment removed form the above output. 

id=13 trace_id=268 func=resolve_ip_tuple_fast line=4295 msg="vd-root received a packet(proto=1, 192.168.88.108:266->8.8.4.4:8) from Internal."
id=13 trace_id=268 func=init_ip_session_common line=4424 msg="allocate a new session-0016a973"
id=13 trace_id=268 func=vf_ip4_route_input line=1603 msg="find a route: gw-99.224.148.1 via wan2"
id=13 trace_id=268 func=get_new_addr line=2398 msg="find SNAT: IP-99.224.148.182, port-62464"
id=13 trace_id=268 func=fw_forward_handler line=660 msg="Allowed by Policy-1: SNAT"
id=13 trace_id=268 func=ids_receive line=237 msg="send to ips"
id=13 trace_id=268 func=__ip_session_run_tuple line=2505 msg="SNAT 192.168.88.108->99.224.148.182:62464"


Color 1: You will notice that the packet is using proto 1 (icmp). You will see the the source IP session was nat'ted locally on port 266 and it is destined to 8.8.4.4:8. On this line you will see which interface the packet was received on. In this case it was received on the "Internal" interface.

Color 2: You will see that there was a route found through wan2 using a gateway of 99.244.148.1. This will be based on what was in the routing table.

Color 3: You will see the IP that was used on the outbound interface and the port in which the session was nat'ted out as.

Color 4: You will see the Policy that allowed the traffic out on.


Analyzing the Debug Flow Example 2

The following is one session segment removed form the above output. 

id=13 trace_id=268 func=resolve_ip_tuple_fast line=4295 msg="vd-root received a packet(proto=1, 192.168.88.108:266->8.8.4.4:8) from Internal."
id=13 trace_id=268 func=init_ip_session_common line=4424 msg="allocate a new session-0016a973"
id=13 trace_id=268 func=vf_ip4_route_input line=1603 msg="find a route: gw-99.224.148.1 via wan2"
id=13 trace_id=268 func=get_new_addr line=2398 msg="find SNAT: IP-99.224.148.182, port-62464"
id=13 trace_id=268 func=fw_forward_handler line=660 msg="Allowed by Policy-1: SNAT"
id=13 trace_id=268 func=ids_receive line=237 msg="send to ips"
id=13 trace_id=268 func=__ip_session_run_tuple line=2505 msg="SNAT 192.168.88.108->99.224.148.182:62464"



Color 1: If a new session is created, it will indicate it here. As in this case it says "allocate a new session". If an existing session is in place, it will indicate that it is using an existing session.

Color 2: If the traffic is being inspected by the IPS engine, it will indicate it here. In this case it says "send to ips". If you are having anomalies in your traffic flow, you may want to disable the IPS engine and then validate the traffic flow.


Posted by at
Labels: , , ,

2 comments:

  1. JohnHarris5 February 2019 at 07:11

    Nice blog! the content which is mention in this blog is really understandable and informative. I really like this blog and thanks for sharing Get Valid and Updated Fortinet NSE4 Questions Answers Dumps

    ReplyDelete
  2. bretton atkin13 May 2019 at 05:54


    I would say That a Fortinet NSE4-FortiOS 6.0 Certification is highly respected With Both IT & non-IT communities where strong project management skills are required. I would suggest getting your NSE4-FortiOS 6.0 Certification. You can prepare yourself for the NSE4_FGT-6.0 questions to get Fortinet NSE4-FortiOS 6.0 credentials.

    ReplyDelete

Subscribe to: Post Comments (Atom)