FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff
Article Id 214433
Description

This article describes how to show values that can be seen on diag debug app SSL-VPN daemon.

Scope

FortiGate.

Solution

# diag debug app sslvpn -1

# diag debug enable

 

Sample Output:

 

[751:root:15]SSL state:SSLv3/TLS read client hello (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write server hello (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write change cipher spec (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write finished (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write finished:system lib(10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write finished (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS read change cipher spec (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS read finished (10.47.2.32)

[751:root:15]SSL state:SSL negotiation finished successfully (10.47.2.32)

[751:root:15]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

 

Line where it is possible to see which TLS version and crypthographic hash algorithm the client and FortiGate to used to do the handshake.

 

751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]rmt_logincheck_cb_handler:1283 user 'jclar' has a matched local entry.

[751:root:15]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.

[751:root:15]sslvpn_auth_check_usrgroup:3008 got user (1) group (0:0).

[751:root:15]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm ().

[751:root:15]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[751:root:15]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[751:root:15]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.

[751:root:15]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.

[751:root:15]sslvpn_validate_user_group_list:2570 rule 1 done, got user (1:0) group (0:0) peer group (0).

[751:root:15]sslvpn_validate_user_group_list:2864 got user (1:0), group (0:0) peer group (0).

[751:root:15]sslvpn_update_user_group_list:1792 got user (1:0), group (0:0), peer group (0) after update.

[751:root:15]two factor check for jclar: off

 

 

On this line, it will be possible to see which user is trying to connect on SSL-VPN and it shows here that is matches local entry.

 

[751:root:15]sslvpn_authenticate_user:183 authenticate user: [jclar]

[751:root:15]sslvpn_authenticate_user:197 create fam state

[751:root:15]fam_auth_send_req:882 found node jclar:0:, valid:1

[751:root:15][fam_auth_send_req_internal:426] Groups sent to FNBAM:

[751:root:15]group_desc[0].grpname = jclar

[751:root:15][fam_auth_send_req_internal:438] FNBAM opt = 0X201420

[751:root:15]fam_auth_send_req_internal:514 fnbam_auth return: 0

[751:root:15][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):

[751:root:15]Received: auth_rsp_data.grp_list[0] = 16777218

[751:root:15][fam_auth_send_req_internal:652] The user jclar is authenticated.

[751:root:15]fam_do_cb:665 fnbamd return auth success.

[751:root:15]SSL VPN login matched rule (1).

[751:root:15]got public IP address: 211.25.130.154

[751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]rmt_web_session_create:1209 create web session, idx[0]

[751:root:15]login_succeeded:536 redirect to hostcheck

[751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]deconstruct_session_id:709 decode session id ok, user=[jclar], group=[],authserver=[],portal=[full-access],host[10.47.2.32],realm

=[],csrf_token=[23154DC8DF6C5BAEB0337AA3EA1DFD6],idx=0,auth=1,sid=73497ade,login=1655001325,access=1655001325,saml_logout_url=no,pip=211.25.13

0.154,grp_info=[B4LsOZ],rmt_grp_info=[]

 

- On these lines, it is possible to see that jclar successfully authenticated.

- And it matches the SSL-VPN portal full-access.

 

[751:root:16]tunnel2_enter:1142 0x7fea06956500:0x7fea05b6dc00 sslvpn user[jclar],type 1,logintime 0 vd 0 vrf 0

[751:root:16]tun dev (ssl.root) opened (37)

[751:root:16]Will add auth policy for policy 2 for user jclar:

[751:root:16]Add auth logon for user jclar:, matched group number 1

[751:root:16]fsv_associate_fd_to_ipaddr:1922 associate 10.212.134.200 to tun (ssl.root:37)

[751:root:16]proxy arp: scanning 6 interfaces for IP 10.212.134.200

[751:root:16]Cannot determine ethernet address for proxy ARP

 

- It is possible to see that the FortiGate has assigned 10.212.134.200 to jclar’s SSL-VPN connection.

- And the SSL-VPN user jclar matches the Firewall Policy ID 2 that made the user to successfully connect to SSL-VPN.

Contributors