FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff
Description

This article describes how to show values that can be seen on diag debug app SSL-VPN daemon.

Scope

FortiGate.

Solution

# diag debug app sslvpn -1

# diag debug enable

 

Sample Output:

 

[751:root:15]SSL state:SSLv3/TLS read client hello (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write server hello (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write change cipher spec (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write finished (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write finished:system lib(10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write finished (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS read change cipher spec (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS read finished (10.47.2.32)

[751:root:15]SSL state:SSL negotiation finished successfully (10.47.2.32)

[751:root:15]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

 

Line where it is possible to see which TLS version and crypthographic hash algorithm the client and FortiGate to used to do the handshake.

 

751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]rmt_logincheck_cb_handler:1283 user 'jclar' has a matched local entry.

[751:root:15]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.

[751:root:15]sslvpn_auth_check_usrgroup:3008 got user (1) group (0:0).

[751:root:15]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm ().

[751:root:15]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[751:root:15]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[751:root:15]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.

[751:root:15]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.

[751:root:15]sslvpn_validate_user_group_list:2570 rule 1 done, got user (1:0) group (0:0) peer group (0).

[751:root:15]sslvpn_validate_user_group_list:2864 got user (1:0), group (0:0) peer group (0).

[751:root:15]sslvpn_update_user_group_list:1792 got user (1:0), group (0:0), peer group (0) after update.

[751:root:15]two factor check for jclar: off

 

 

On this line, it will be possible to see which user is trying to connect on SSL-VPN and it shows here that is matches local entry.

 

[751:root:15]sslvpn_authenticate_user:183 authenticate user: [jclar]

[751:root:15]sslvpn_authenticate_user:197 create fam state

[751:root:15]fam_auth_send_req:882 found node jclar:0:, valid:1

[751:root:15][fam_auth_send_req_internal:426] Groups sent to FNBAM:

[751:root:15]group_desc[0].grpname = jclar

[751:root:15][fam_auth_send_req_internal:438] FNBAM opt = 0X201420

[751:root:15]fam_auth_send_req_internal:514 fnbam_auth return: 0

[751:root:15][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):

[751:root:15]Received: auth_rsp_data.grp_list[0] = 16777218

[751:root:15][fam_auth_send_req_internal:652] The user jclar is authenticated.

[751:root:15]fam_do_cb:665 fnbamd return auth success.

[751:root:15]SSL VPN login matched rule (1).

[751:root:15]got public IP address: 211.25.130.154

[751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]rmt_web_session_create:1209 create web session, idx[0]

[751:root:15]login_succeeded:536 redirect to hostcheck

[751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]deconstruct_session_id:709 decode session id ok, user=[jclar], group=[],authserver=[],portal=[full-access],host[10.47.2.32],realm

=[],csrf_token=[23154DC8DF6C5BAEB0337AA3EA1DFD6],idx=0,auth=1,sid=73497ade,login=1655001325,access=1655001325,saml_logout_url=no,pip=211.25.13

0.154,grp_info=[B4LsOZ],rmt_grp_info=[]

 

- On these lines, it is possible to see that jclar successfully authenticated.

- And it matches the SSL-VPN portal full-access.

 

[751:root:16]tunnel2_enter:1142 0x7fea06956500:0x7fea05b6dc00 sslvpn user[jclar],type 1,logintime 0 vd 0 vrf 0

[751:root:16]tun dev (ssl.root) opened (37)

[751:root:16]Will add auth policy for policy 2 for user jclar:

[751:root:16]Add auth logon for user jclar:, matched group number 1

[751:root:16]fsv_associate_fd_to_ipaddr:1922 associate 10.212.134.200 to tun (ssl.root:37)

[751:root:16]proxy arp: scanning 6 interfaces for IP 10.212.134.200

[751:root:16]Cannot determine ethernet address for proxy ARP

 

- It is possible to see that the FortiGate has assigned 10.212.134.200 to jclar’s SSL-VPN connection.

- And the SSL-VPN user jclar matches the Firewall Policy ID 2 that made the user to successfully connect to SSL-VPN.

Contributors