Fortigate Logging

Flow Trace

Now I will show a flow trace from my computer to

diagnose debug reset 
diagnose debug flow filter saddr 
diagnose debug flow filter daddr 
diagnose debug flow show function-name enable
diagnose debug enable 
diagnose debug flow trace start 100  #display the next 100 packets, after that, disable the flow: 

When complete, you can disable manually with

diagnose debug disable



The output, it will show you what interface the connection came in on, because of the function-name enable you will see NAT, Routing, etc, IPS, offloading to NPU and SPUs, etc.


You can also see the sessions using the following commands

diagnose sys session filter clear
diagnose sys session filter dst
diagnose sys session filter dport 53
diagnose sys session list           #show the session table with the filter just set

Use the filter that work for you from a source or destination as well as ports



With this filter, you can clear the sessions based on the filter you created by issuing the diagnose sys session clear NOTE: Without the filter in place, you will clear ALL sessions on the FortiGate.  It is always a good habit to run diag sys session filter ? to list the filter you have configured.

Packet Capture

You can either use the GUI or the CLI to run packet captures.

diagnose sniffer packet any 'host' 4 4 l 
diagnose sniffer packet any 'host and dst port 53' 4 10 a 
diagnose sniffer packet wan1 'dst port (80 or 443)' 2 50 l 

The verbosity is controlled by the following:

1: print header of packets
2: print header and data from ip of packets
3: print header and data from ethernet of packets (if available)
4: print header of packets with interface name
5: print header and data from ip of packets with interface name
6: print header and data from ethernet of packets (if available) with intf name
count: number of packets
a: UTC time
l: local time

You can use the GUI by going to Network then Packet Capture then Create


GD Star Rating
GD Star Rating

Trackback from your site.