Technical Tip: How to filter for IP addresses and address ranges in debug flow

It is possible to filter for 2 specific addresses, using the "and" operator at the end of the command, after writing 2 IP addresses.
This is the syntax:

FORTIGATE # diagnose debug flow filter addr 10.254.0.100 8.8.8.8 and

The filter can be checked by running this command:

FORTIGATE # diagnose debug flow filter
vf: any
proto: any
host addr: 10.254.0.100 and 8.8.8.8
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any

The filter is for IP '10.254.0.100 and 8.8.8.8'. It is possible to use the 'or' operator in the same way:

FORTIGATE # diagnose debug flow filter addr 10.254.0.100 8.8.8.8 or

FORTIGATE # diagnose debug flow filter
vf: any
proto: any
host addr: 10.254.0.100 or 8.8.8.8
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any

It is possible to filter for a range of IP addresses, writing 2 IP addresses (starting and ending address in ascending order):

FORTIGATE # diagnose debug flow filter addr 10.254.0.0 10.254.0.150

FORTIGATE # diagnose debug flow filter
vf: any
proto: any
host addr: 10.254.0.0-10.254.0.150
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any

It is also possible to exclude a range, writing 2 IP addresses in descending order:

FORTIGATE # diagnose debug flow filter addr 10.254.0.10 10.254.0.0

FORTIGATE # diagnose debug flow filter
vf: any
proto: any
host addr: not in 10.254.0.0-10.254.0.10
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any

Notice the 'not in' in the filter above.

Related article:

Technical Tip: Using filters to review traffic traversing the FortiGate