Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssteo
Staff
Staff

Created on ‎06-07-2022 05:04 AM Edited on ‎10-15-2025 05:35 AM By Community Manager

Article Id 213238

Technical Tip: Debug flow tool

Description This article describes the Debug flow tool in the FortiGate GUI.
Scope FortiOS v7.2.
Solution
  1. To run a debug flow in FortiGate GUI, go to Network -> Diagnostics and select the Debug Flow tab.

  2. By default, the number of packets is 100, maximum is 1000.

  3. Enable the filter, and there will be two filter types.

  4. For filter types 'Basic', it is possible to filter by IP address, Port, and Protocol.

  5. For filter types 'Advanced', it is possible to filter by Source IP, Source port, Destination IP, Destination port, and Protocol.

  6. Once the filter has been configured, select 'Start debug flow' to start the debug. The debug messages are visible in real-time.

  7. It is possible to stop the debug flow by selecting 'Stop debug flow' or wait for it to run until the number of packets that have been defined.

  8. It is possible to save the output in CSV format.

  9. The output can be filtered by 'Time', 'Message', and 'Function field'.

 

To run the debug flow in the Firewall CLI, use the following command:

 

diagnose debug reset
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug flow filter saddr x.x.x.x <- Source IP   or

diagnose debug flow filter saddr <IP1> <IP5> <----- Where IP1 is the first IP address, IP5 is the last IP address.

diagnose debug flow filter daddr y.y.y.y <----- Destination IP.

diagnose debug flow filter daddr <IP1> <IP5> <----- Where IP1 is the first IP address, IP5 is the last IP address.

diagnose debug flow filter port zzz
diagnose debug flow show function-name enable
diagnose debug console timestamp enable
diagnose debug flow trace start 1000
diagnose debug enable

 

To stop the debug, run the following command:

 

diagnose debug disable

diagnose debug reset

 

Note: 

These are the different filters that can be configured in the packet flow over the CLI console:

 

vd-name Name of virtual domain.
proto Protocol number.
addr IP address as source or destination.
saddr Source IP address.
daddr Destination IP address.
port Port as source or destination.
sport  Source port.
dport  Destination port.

 

For more detailed information, check this guide: Technical Tip: Using filters to review traffic traversing the FortiGate 

 

Related document:

Embed real-time debug flow tool on Diagnostics page

 

Note:

By default, the duration is 30 minutes. If it is necessary to increase or decrease the time, refer to Technical Tip: Changing debug duration.
7801
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.