Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
acvaldez
Staff
Staff

Created on ‎06-11-2022 11:56 PM Edited on ‎08-20-2024 01:54 AM By Moderator

Article Id 214433

Technical Tip: FortiGate debug SSL VPN daemon

Description

This article describes how to show values that can be seen on diag debug app SSL-VPN daemon.
Scope

FortiGate.
Solution

diag debug app sslvpn -1

diag debug enable

 

Sample Output:

 

[751:root:15]SSL state:SSLv3/TLS read client hello (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write server hello (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write change cipher spec (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write finished (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write finished:system lib(10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS write finished (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS read change cipher spec (10.47.2.32)

[751:root:15]SSL state:SSLv3/TLS read finished (10.47.2.32)

[751:root:15]SSL state:SSL negotiation finished successfully (10.47.2.32)

[751:root:15]SSL established: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384

 

The line where it is possible to see which TLS version and cryptographic hash algorithm the client and FortiGate use to do the handshake.

 

751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]rmt_logincheck_cb_handler:1283 user 'jclar' has a matched local entry.

[751:root:15]sslvpn_auth_check_usrgroup:2962 forming user/group list from policy.

[751:root:15]sslvpn_auth_check_usrgroup:3008 got user (1) group (0:0).

[751:root:15]sslvpn_validate_user_group_list:1850 validating with SSL VPN authentication rules (1), realm ().

[751:root:15]sslvpn_validate_user_group_list:1970 checking rule 1 cipher.

[751:root:15]sslvpn_validate_user_group_list:1978 checking rule 1 realm.

[751:root:15]sslvpn_validate_user_group_list:1989 checking rule 1 source intf.

[751:root:15]sslvpn_validate_user_group_list:2028 checking rule 1 vd source intf.

[751:root:15]sslvpn_validate_user_group_list:2570 rule 1 done, got user (1:0) group (0:0) peer group (0).

[751:root:15]sslvpn_validate_user_group_list:2864 got user (1:0), group (0:0) peer group (0).

[751:root:15]sslvpn_update_user_group_list:1792 got user (1:0), group (0:0), peer group (0) after update.

[751:root:15]two factor check for jclar: off

 

 

On this line, it will be possible to see which user is trying to connect on SSL VPN and it shows here that it matches a local entry.

 

[751:root:15]sslvpn_authenticate_user:183 authenticate user: [jclar]

[751:root:15]sslvpn_authenticate_user:197 create fam state

[751:root:15]fam_auth_send_req:882 found node jclar:0:, valid:1

[751:root:15][fam_auth_send_req_internal:426] Groups sent to FNBAM:

[751:root:15]group_desc[0].grpname = jclar

[751:root:15][fam_auth_send_req_internal:438] FNBAM opt = 0X201420

[751:root:15]fam_auth_send_req_internal:514 fnbam_auth return: 0

[751:root:15][fam_auth_send_req_internal:539] Authenticated groups (1) by FNBAM with auth_type (1):

[751:root:15]Received: auth_rsp_data.grp_list[0] = 16777218

[751:root:15][fam_auth_send_req_internal:652] The user jclar is authenticated.

[751:root:15]fam_do_cb:665 fnbamd return auth success.

[751:root:15]SSL VPN login matched rule (1).

[751:root:15]got public IP address: 211.25.130.154

[751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]rmt_web_session_create:1209 create web session, idx[0]

[751:root:15]login_succeeded:536 redirect to hostcheck

[751:root:15]User Agent: FortiSSLVPN (Windows NT; SV1 [SV{v=02.01; f=07;}])

[751:root:15]deconstruct_session_id:709 decode session id ok, user=[jclar], group=[],authserver=[],portal=[full-access],host[10.47.2.32],realm

=[],csrf_token=[23154DC8DF6C5BAEB0337AA3EA1DFD6],idx=0,auth=1,sid=73497ade,login=1655001325,access=1655001325,saml_logout_url=no,pip=211.25.13

0.154,grp_info=[B4LsOZ],rmt_grp_info=[]

 

  • On these lines, it is possible to see that jclar is successfully authenticated.
  • And it matches the SSL VPN portal full-access.

 

[751:root:16]tunnel2_enter:1142 0x7fea06956500:0x7fea05b6dc00 sslvpn user[jclar],type 1,logintime 0 vd 0 vrf 0

[751:root:16]tun dev (ssl.root) opened (37)

[751:root:16]Will add auth policy for policy 2 for user jclar:

[751:root:16]Add auth logon for user jclar:, matched group number 1

[751:root:16]fsv_associate_fd_to_ipaddr:1922 associate 10.212.134.200 to tun (ssl.root:37)

[751:root:16]proxy arp: scanning 6 interfaces for IP 10.212.134.200

[751:root:16]Cannot determine ethernet address for proxy ARP

 

  • It is possible to see that FortiGate has assigned 10.212.134.200 to jclar’s SSL VPN connection.
  • The SSL VPN user jclar matches the Firewall Policy ID 2 that made the user to successfully connect to SSL VPN.
  • Timing timestamps may be crucial when troubleshooting random issue reports or getting references. Make sure that the SSL VPN nodes both have the correct system time. See that a debug attempt is created with timestamps. Add 'diag debug console timestamp enable' to the 'diag debug' commands on FortiGate.

Write down timestamps on certain events, like error messages, if applicable. It helps to understand more about the pattern and when what happens.
12924
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.