|
Debug commands in FortiGate are essential for troubleshooting traffic flow, firewall policies applied, routing issues, and other network related problems.
Basic Control Commands:
| Command: |
Description: |
Usage: |
|
diagnose debug flow filter
|
Shows filter settings. |
Shows all active debug filters applied to be analyzed. |
|
diagnose debug reset
|
Resets all debug settings to default. |
Clears all active debug filters applied before starting a new session. |
|
diagnose debug console timestamp enable
|
Enables timestamps in debug messages. |
Helps track (by time) when specific events occur for better log analysis. |
|
diagnose debug enable
|
Enables debugging with the current settings. |
Starts debug capture after configuring filters. |
Flow Debug Commands:
| Command: |
Description: |
Usage: |
|
diagnose debug flow show iprope enable
|
Displays detailed IP policy (IPROPE) processing information. |
Useful for understanding how firewall policies are selected. |
|
diagnose debug flow show function-name enable
|
Shows internal function names in debug messages. |
Advanced troubleshooting for developers or engineers. |
|
diagnose debug flow trace start 100
|
Starts flow tracing, capturing the first 100 trace-ids (flows) that match the filters.
|
Limits output to prevent excessive logging. |
|
diagnose debug flow trace stop
|
Stops an active flow trace before reaching the packet limit. |
Manually ends tracing when enough data is collected. |
Filtering Commands:
| Command: |
Description: |
Usage: |
|
diagnose debug flow filter vd X
|
Filters traffic by Virtual Domain (VDOM) number X.
|
Focuses debugging on a specific VDOM. |
|
diagnose debug flow filter vd-name root
|
Filters traffic by Virtual Domain (VDOM) name root
|
Focuses debugging on a specific VDOM. |
|
diagnose debug flow filter port 80
|
Filters traffic whose source or destination port is 80 (HTTP).
|
Debug web traffic. |
|
diagnose debug flow filter sport 80
|
Filters traffic whose source port (sport) is 80.
|
Analyzes HTTP responses from servers. |
| diagnose debug flow filter dport 443 |
Filters traffic whose destination port (dport) is 443 (HTTPS).
|
Debugs outgoing HTTPS traffic. |
|
diagnose debug flow filter proto 1
|
Filters traffic by protocol (1=ICMP, 6=TCP, 17=UDP).
|
Focuses on a specific protocol (for example, ICMP for ping tests). |
|
diagnose debug flow filter addr 10.10.10.10
|
Filters traffic whose source or destination IP is 10.10.10.10
|
Focuses on the packet that has IP 10.10.10.10 either as a source or destination. |
|
diagnose debug flow filter saddr 10.10.10.10
|
Filters traffic whose source IP is 10.10.10.10
|
Focuses on the packet that has IP 10.10.10.10 as a source. |
|
diagnose debug flow filter daddr 10.10.10.10
|
Filters traffic whose destination IP is 10.10.10.10.
|
Focuses on the packet that has IP 10.10.10.10 as a destination. |
|
diagnose debug flow filter negate addr/port/proto/vd/saddr/daddr/sport/dport
|
The negate property can be used to exclude.
|
This document explains the usage in detail: Technical Tip: How the 'negate' command in debug flow works. |
Note:
Multiple filters can be applied at a time. The debug flow shows traffic that matches all the applied filters.
Debug Cleanup Commands:
| Command: |
Description: |
Usage: |
|
diagnose debug flow filter clear
|
Clears all active flow filters. |
Prepares for a new debug session with fresh filters. |
|
diagnose debug disable
|
Stops all debugs (alternative to diagnose debug flow trace stop). |
Ensures debugging is fully turned off. |
Typical Debug Workflow:
Disable active debugs: 'diagnose debug disable '.
Clear previous filters: 'diagnose debug reset' or 'diagnose debug flow filter clear'.
Set filters by port, IP, or protocol): 'diagnose debug flow filter dport 443'.
Track specific events (optional): 'diagnose debug console timestamp enable '.
Start tracing with a packet limit: 'diagnose debug flow trace start 100 '.
Enable debugging: 'diagnose debug enable '.
Generate traffic: access a website, run a ping test.
Stop debugging when done: 'diagnose debug flow trace stop' or 'diagnose debug disable'.
Conclusion:
These debug commands help network administrators analyze traffic, troubleshoot policy issues, and diagnose connectivity problems in FortiGate firewalls. Always limit debug sessions (trace start X) to avoid performance impact, and disable debugging when finished.
Related article:
Troubleshooting Tip: Debug flow flags |
