Skip to main content
aseques
aseques
Visitor III
October 29, 2015
Question

Cli method to show the firewall rule that blocks a site?

  • October 29, 2015
  • 2 replies
  • 25780 views

 

 When I'm in trouble I use all the time the diagnose mode, the issue I'm having now is that the old commands don't work:

diag debug flow filter addr 1.1.1.1
diag debug flow show console enable
diagnose debug flow trace start 100
diagnose debug enable

There's no mention of the message that appears on the browser reading that the site has ben blocked by the firewall, so it makes it very difficult to find the origin of the policy that restricted that user when there are multiple blocks and web profiles. Anyone know about a proper CLI syntax to get this information? I've been searching a lot in the forums but haven't been able to find anything.

 

Regards, 

 

Joan

2 replies

emnoc
emnoc
New Member
October 29, 2015

The syntax above is correct but did you enable the debug ?

 

diag debug enable

 

aseques
asequesAuthor
Visitor III
October 29, 2015

Yes, it's the last of the lines I pasted, just to double check I changed the order of the commands and the result is the same, I see the rules that affect the traffic flow, but I don't see anythin related to the web filtering.

Any idea of how would it look like?

emnoc
emnoc
New Member
October 29, 2015

So you have a match to the fw-policy? Does it have a url filter attached? and are you expecting it to block or pass ?

 

I believe theirs a diag debug app < something for url/web flter> command but I'm not in the office at this time. You might want to search the diag debug app  options.

 

Ken

gschmitt
gschmitt
New Member
October 30, 2015

aseques wrote:

diag debug flow filter addr 1.1.1.1

Did you do a 
diag debug flow filter clear
 
diag debug reset
before? :D

aseques
asequesAuthor
Visitor III
October 30, 2015

Sure, it's clean (I'm testing with test.com domain ip=69.172.200.235)

# diagnose  debug flow filter  
        vf: any                                                                                                                               
        proto: any                                                                                                                            
        host addr: 69.172.200.235-69.172.200.235 
        Host saddr: any 
        Host daddr: any 
        port: any 
        sport: any 
        dport: any

I get the attached output (anonymized) with one of the lines being probably the redirection to the error page 

vd-root received a packet(proto=6, 10.1.1.10:52311->69.172.200.235:8008)

But still it doesn't mention anything about the captive portal

 

Iescudero
Iescudero
New Member
November 2, 2015

Hello!

I Think that is because the antivirus, proxy, web filter or captive portal are considered by fortigate like applications, which means that works in a different layer than diagnose debug flow.

if you enable it, you can see web filter blocks in Log section.

 

Hope Helps

Terms & ConditionsAccessibility statement