FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article describes how to show values that can be seen on diag debug app SSL-VPN daemon.




# diag debug app sslvpn -1

# diag debug enable


Sample Output:


[751:root:15]SSL state:SSLv3/TLS read client hello (

[751:root:15]SSL state:SSLv3/TLS write server hello (

[751:root:15]SSL state:SSLv3/TLS write change cipher spec (

[751:root:15]SSL state:SSLv3/TLS write finished (

[751:root:15]SSL state:SSLv3/TLS write finished:system lib(

[751:root:15]SSL state:SSLv3/TLS write finished (

[751:root:15]SSL state:SSLv3/TLS read change cipher spec (

[751:root:15]SSL state:SSLv3/TLS read finished (

[751:root:15]SSL state:SSL negotiation finished successfully (

[751:root:15]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384


Line where it is possible to see which TLS version and crypthographic hash algorithm the client and FortiGate to used to do the handshake.


751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]rmt_logincheck_cb_handler:1283 user 'jclar' has a matched local entry.

[751:root:15]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.

[751:root:15]sslvpn_auth_check_usrgroup:3008 got user (1) group (0:0).

[751:root:15]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm ().

[751:root:15]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[751:root:15]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[751:root:15]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.

[751:root:15]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.

[751:root:15]sslvpn_validate_user_group_list:2570 rule 1 done, got user (1:0) group (0:0) peer group (0).

[751:root:15]sslvpn_validate_user_group_list:2864 got user (1:0), group (0:0) peer group (0).

[751:root:15]sslvpn_update_user_group_list:1792 got user (1:0), group (0:0), peer group (0) after update.

[751:root:15]two factor check for jclar: off



On this line, it will be possible to see which user is trying to connect on SSL-VPN and it shows here that is matches local entry.


[751:root:15]sslvpn_authenticate_user:183 authenticate user: [jclar]

[751:root:15]sslvpn_authenticate_user:197 create fam state

[751:root:15]fam_auth_send_req:882 found node jclar:0:, valid:1

[751:root:15][fam_auth_send_req_internal:426] Groups sent to FNBAM:

[751:root:15]group_desc[0].grpname = jclar

[751:root:15][fam_auth_send_req_internal:438] FNBAM opt = 0X201420

[751:root:15]fam_auth_send_req_internal:514 fnbam_auth return: 0

[751:root:15][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):

[751:root:15]Received: auth_rsp_data.grp_list[0] = 16777218

[751:root:15][fam_auth_send_req_internal:652] The user jclar is authenticated.

[751:root:15]fam_do_cb:665 fnbamd return auth success.

[751:root:15]SSL VPN login matched rule (1).

[751:root:15]got public IP address:

[751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]rmt_web_session_create:1209 create web session, idx[0]

[751:root:15]login_succeeded:536 redirect to hostcheck

[751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]deconstruct_session_id:709 decode session id ok, user=[jclar], group=[],authserver=[],portal=[full-access],host[],realm




- On these lines, it is possible to see that jclar successfully authenticated.

- And it matches the SSL-VPN portal full-access.


[751:root:16]tunnel2_enter:1142 0x7fea06956500:0x7fea05b6dc00 sslvpn user[jclar],type 1,logintime 0 vd 0 vrf 0

[751:root:16]tun dev (ssl.root) opened (37)

[751:root:16]Will add auth policy for policy 2 for user jclar:

[751:root:16]Add auth logon for user jclar:, matched group number 1

[751:root:16]fsv_associate_fd_to_ipaddr:1922 associate to tun (ssl.root:37)

[751:root:16]proxy arp: scanning 6 interfaces for IP

[751:root:16]Cannot determine ethernet address for proxy ARP


- It is possible to see that the FortiGate has assigned to jclar’s SSL-VPN connection.

- And the SSL-VPN user jclar matches the Firewall Policy ID 2 that made the user to successfully connect to SSL-VPN.