Technical Tip : Using GUI debug flow tool in FortiOS to capture traffic.

This article illustrates the steps to capture debug flow via GUI in FortiOS v7.2.x, v7.4.x and x7.6.x.

1. Navigate to Network -> Diagnostics -> Debug Flow and toggle the Filters to on:

2. The choice is between Basic and Advanced filter types. The difference between Basic and Advanced types is described below:

Basic: filter by IP address, Port, and Protocol.

This option translates to the following CLI commands:

diagnose debug flow filter addr <IP_addr/range>

diagnose debug flow filter port <port/range>

diagnose debug flow filter proto <protocol>

Advanced: Provides the option to filter by Source IP, Source port, Destination IP, Destination port, and Protocol.

This option translates to the following CLI commands:

diagnose debug flow filter saddr <source_IP/range>

diagnose debug flow filter sport <port/range>

diagnose debug flow filter daddr <destination_IP/range>

diagnose debug flow filter dport <port/range>

diagnose debug flow filter proto <protocol>

3. Fill in the required information in the filter and start the debug flow. It is not necessary to fill in all information. Information that is not filled in will be set as any:

4. FortiGate will run a live capture on the user’s traffic that matches the filter and the result will be displayed on the screen:

5. The output can be exported to a CSV file for further investigation and analysis:

6. The following is an example of the output in CSV. The file can be uploaded to support ticket for further investigation purposes:

Note: In a multi-VDOM environment, the Diagnostics option (under Network -> Diagnostics) is not available in the Global VDOM for running debug flow or packet capture. This is expected behavior because the Global VDOM is not a traffic‑processing VDOM.

Diagnostics must be performed within a traffic VDOM. Additionally, debug flow is VDOM‑specific, so it must be executed in the particular traffic VDOM where the traffic flow needs to be analyzed.