Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff

Created on ‎07-18-2022 03:43 AM Edited on ‎07-18-2022 03:44 AM By Anonymous

Article Id 217812

Technical Tip: How to check OSPF packets flow with functions of FortiGate unit

Description

This article describes how to check how OSPF (Open Shortest Path First) packets flow in functions or features in FortiGate unit.
Scope

FortiGate
Solution

In order to see how OSPF packets flow with functions or features in FortiGate unit. Execute the following commands for further troubleshoot.

On CLI :

 

# diagnose debug reset

# diagnose debug disable

# diagnose debug flow filter clear

# diagnose debug flow trace stop

 

# diagnose debug flow filter proto 89

# diagnose debug flow show function-name enable

# diagnose debug flow trace start 454545

# diagnose debug flow show iprope enable

# diagnose debug console timestamp enable

# diagnose debug enable

 

 

To stop debugging:

 

# diagnose debug disable

# diagnose debug reset

# diagnose debug flow filter clear

# diagnose debug flow trace stop

 

Note:

 

- The command 'diagnose debug flow show function-name enable' allows to show the function name.

- The command 'diagnose debug flow show iprope enable' allows to show trace messages about iprobe.


Example:

 

# diagnose debug reset

# diagnose debug disable

# diagnose debug flow filter clear

# diagnose debug flow trace stop

# diagnose debug flow filter proto 89

# diagnose debug flow show function-name enable

# diagnose debug flow trace start 454545

# diagnose debug flow show iprope enable

# diagnose debug console timestamp enable

# diagnose debug enable

 

2022-07-17 16:53:28 id=20085 trace_id=106351 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=89, 136.136.136.155:0->224.0.0.5:0) tun_id=10.165.1.249 from IPSec36. "
2022-07-17 16:53:28 id=20085 trace_id=106351 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-4c4cedd8, original direction"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=iprope_access_proxy_check line=435 msg="in-[IPSec36], out-[], skb_flags-02000108, vid-20"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=__iprope_check line=2277 msg="gnum-100017, check-ffffffffa002b990"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=iprope_policy_group_check line=4728 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=iprope_in_check line=468 msg="in-[IPSec36], out-[], skb_flags-02000108, vid-20"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=__iprope_check line=2277 msg="gnum-100011, check-ffffffffa002cb5d"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=iprope_policy_group_check line=4728 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=__iprope_check line=2277 msg="gnum-100001, check-ffffffffa002b990"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=iprope_policy_group_check line=4728 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=__iprope_check line=2277 msg="gnum-10000e, check-ffffffffa002b990"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=__iprope_check_one_policy line=2029 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=__iprope_check_one_policy line=2029 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=__iprope_check_one_policy line=2029 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2022-07-17 16:53:28 id=20085 trace_id=106351 func=__iprope_check_one_policy line=2029 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
2022-07-17 16:53:29 id=20085 trace_id=106351 func=__iprope_check_one_policy line=2247 msg="policy-4294967295 is matched, act-accept"
2022-07-17 16:53:29 id=20085 trace_id=106351 func=__iprope_check line=2294 msg="gnum-10000e check result: ret-matched, act-accept, flag-00000000, flag2-00000000"
2022-07-17 16:53:29 id=20085 trace_id=106351 func=iprope_policy_group_check line=4728 msg="after check: ret-matched, act-accept, flag-00000000, flag2-00000000"
2022-07-17 16:53:29 id=20085 trace_id=106352 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=89, 136.136.136.24:0->224.0.0.5:0) tun_id=0.0.0.0 from local. "
2022-07-17 16:53:29 id=20085 trace_id=106352 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-0000005b, original direction"
2022-07-17 16:53:29 id=20085 trace_id=106352 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface IPSec36, tun_id=0.0.0.0"
2022-07-17 16:53:29 id=20085 trace_id=106352 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel IPSec36"
2022-07-17 16:53:29 id=20085 trace_id=106352 func=esp_output4 line=868 msg="IPsec encrypt/auth"
2022-07-17 16:53:29 id=20085 trace_id=106352 func=ipsec_output_finish line=544 msg="send to 10.165.1.249 via intf-port4" 
2619
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.