| Description |
This article explains different ways that can be used to view in real time the Sessions and Persistence connections performed against VS, in order to use them for troubleshooting purposes.
Topology:
RS-A1 Client ==> FADC ===| RS-A2 |
| Scope |
View in real time the connections performed against the VS published with FortiADC |
| Solution |
Opt-1. From GUI: - Go to Server Load Balance -> Virtual Server.' Double-click' on VS to edit it - On Virtual Server settings chose the tab ‘Monitor’. - Enable ‘Traffic Log’. - Go to Log & Report -> Traffic Log. - Chose the log based on the logs related to traffic served by the FortiADC deployment.
Opt-2. Use the execute log command to filter and display the logs needed:
(P) FortiADC-10 (fadc-vdom01) # execute log filter type event traffic attack script
(P) FortiADC-10 (fadc-vdom01) # execute log filter subtype please input the type firstly event traffic attack script
(P) FortiADC-10 (fadc-vdom01) # execute log filter field
(P) FortiADC-10 (fadc-vdom01) # execute log display <startline integer >=0 > show log from startline
Example:
(P) FortiADC-10 (fadc-vdom01) # execute log filter type traffic (P) FortiADC-10 (fadc-vdom01) # execute log filter subtype slb_layer4 (P) FortiADC-10 (fadc-vdom01) # execute log filter field src 1.0.16.1 (P) FortiADC-10 (fadc-vdom01) # execute log filter show type#traffic subtype#slb_layer4 field#src#1.0.16.1 (P) FortiADC-10 (fadc-vdom01) # execute log display 0 begin to search logs date=2023-01-17 time=17:23:13 log_id=0100008000 type=traffic subtype=slb_layer4 pri=information vd=fadc-vdom01 msg_id=5589 duration=3 ibytes=437 obytes=10130 proto=6 service=tcp src=1.0.16.1 src_port=57134 dst=14.8.0.200 dst_port=80 trans_src=172.20.1.253 trans_src_port=5023 trans_dst=172.20.1.1 trans_dst_port=80 policy=VS01_L4-VLAN801 action=none srccountry=Japan dstcountry=Japan real_server=A01 date=2023-01-17 time=17:23:12 log_id=0100008000 type=traffic subtype=slb_layer4 pri=information vd=fadc-vdom01 msg_id=5588 duration=3 ibytes=437 obytes=10130 proto=6 service=tcp src=1.0.16.1 src_port=57132 dst=14.8.0.200 dst_port=80 trans_src=172.20.1.253 trans_src_port=5022 trans_dst=172.20.1.1 trans_dst_port=80 policy=VS01_L4-VLAN801 action=none srccountry=Japan dstcountry=Japan real_server=A01 .... display 20 lines log messages one time at most,you can tune the starline if you want to see more logs
Opt-3, Check the Sessions and Persistence in real time using the diagnose server-load-balance|persistence command.
Example:
Sessions: (P) FortiADC-10 (fadc-vdom01) # diagnose server-load-balance session filter 'source-ip 1.0.16.1' (P) FortiADC-10 (fadc-vdom01) # diagnose server-load-balance session clear (P) FortiADC-10 (fadc-vdom01) # diagnose server-load-balance session list client-ip/port virtual-server-ip/port local-ip/port real-server-ip/port protocol service state in-bytes out-bytes expire virtual-server-name real-server-name 1.0.16.1 57036 14.8.0.200 80 172.20.1.253 5007 172.20.1.2 80 6 tcp TIME_WAIT 397 10130 1 VS01_L4-VLAN801 A02 1.0.16.1 57038 14.8.0.200 80 172.20.1.253 5008 172.20.1.1 80 6 tcp TIME_WAIT 517 10130 2 VS01_L4-VLAN801 A01 1.0.16.1 57034 14.8.0.200 80 172.20.1.253 5006 172.20.1.1 80 6 tcp TIME_WAIT 477 10130 0 VS01_L4-VLAN801 A01
Persistence:
(P) FortiADC-10 (fadc-vdom01) # diagnose server-load-balance persistence filter 'source-ip 1.0.16.1' (P) FortiADC-10 (fadc-vdom01) # diagnose server-load-balance persistence clear (P) FortiADC-10 (fadc-vdom01) # diagnose server-load-balance persistence list client-ip/port virtual-server-ip/port local-ip/port real-server-ip/port protocol service expire virtual-server-name real-server-name 1.0.16.1 0 14.8.0.200 80 0.0.0.0 0 172.20.1.2 80 6 tcp 1 VS01_L4-VLAN801 A02
Opt-4. Reading the logs with the backend shell.
(P) FortiADC-10 # fnsysctl ls /var/log/logrpt/fadc-vdom01/ 3.admin.elog 3.fw.elog 3.ips.alog 3.slb_diameter.tlog 3.slb_layer4.tlog 3.slb_rtmp.tlog 3.system.elog Reports 3.config.elog 3.fw.tlog 3.llb.elog 3.slb_dns.tlog 3.slb_mssql.tlog 3.slb_rtsp.tlog 3.user.elog couter_cache 3.dns.elog 3.geo.alog 3.llb.tlog 3.slb_ftp.tlog 3.slb_mysql.tlog 3.slb_sip.tlog 4.av.alog database 3.dns.tlog 3.health_check.elog 3.slb.elog 3.slb_http.tlog 3.slb_radius.tlog 3.slb_smtp.tlog 4.ddos.alog resdir 3.fw.a
Example, printing the latest logs in real-time:
(P) FortiADC-10 # fn tail -f /var/log/logrpt/fadc-vdom01/3.slb_layer4.tlog 2023-01-17,16:59:03,0100008000,traffic,slb_layer4,information,fadc-vdom01,5561,3,397,10130,6,tcp,1.0.16.1,57094,14.8.0.200,80,172.20.1.253,5003,172.20.1.2,80,VS01_L4-VLAN801,none,Japan,Japan,A02 2023-01-17,16:59:04,0100008000,traffic,slb_layer4,information,fadc-vdom01,5562,3,397,10130,6,tcp,1.0.16.1,57096,14.8.0.200,80,172.20.1.253,5004,172.20.1.2,80,VS01_L4-VLAN801,none,Japan,Japan,A02 2023-01-17,16:59:05,0100008000,traffic,slb_layer4,information,fadc-vdom01,5563,3,437,10130,6,tcp,1.0.16.1,57098,14.8.0.200,80,172.20.1.253,5005,172.20.1.2,80,VS01_L4-VLAN801,none,Japan,Japan,A02
Example, printing the latest 3 logs:
(P) FortiADC-10 # fn tail -n 3 /var/log/logrpt/fadc-vdom01/3.slb_layer4.tlog 2023-01-17,17:23:11,0100008000,traffic,slb_layer4,information,fadc-vdom01,5587,3,477,10130,6,tcp,1.0.16.1,57130,14.8.0.200,80,172.20.1.253,5021,172.20.1.1,80,VS01_L4-VLAN801,none,Japan,Japan,A01 2023-01-17,17:23:12,0100008000,traffic,slb_layer4,information,fadc-vdom01,5588,3,437,10130,6,tcp,1.0.16.1,57132,14.8.0.200,80,172.20.1.253,5022,172.20.1.1,80,VS01_L4-VLAN801,none,Japan,Japan,A01 2023-01-17,17:23:13,0100008000,traffic,slb_layer4,information,fadc-vdom01,5589,3,437,10130,6,tcp,1.0.16.1,57134,14.8.0.200,80,172.20.1.253,5023,172.20.1.1,80,VS01_L4-VLAN801,none,Japan,Japan,A01 |
