This article describes how to check BGP traffic with the debug flow feature on the FortiGate. To investigate whether BGP traffic hit the expected firewall policy ID, or if certain features dropped BGP traffic.

FortiGate.

The following will check if the packets have been blocked or allowed by the expected firewall policy or other features properly. In case BGP traffic can pass through FortiGate. But it does not work as expected. It needs to check whether BGP traffic hit the correct firewall policy ID or not.

To check and investigate whether BGP traffic can be allowed by firewall policy ID or hit the correct function, as expected or not? in FortiGate.

Run the following CLI commands to troubleshoot further.

At the CLI command of FortiGate:

diagnose debug disable

diagnose debug reset

diagnose debug flow filter clear

diagnose debug flow trace stop

diagnose debug flow filter port 179

diagnose debug flow show function-name enable

diagnose debug flow trace start 454545

diagnose debug flow show iprope enable

diagnose debug console timestamp enable

diagnose debug enable

To stop debugging.

diagnose debug disable

diagnose debug reset

diagnose debug flow filter clear

diagnose debug flow trace stop

Example:

diagnose debug disable

diagnose debug reset

diagnose debug flow filter clear

diagnose debug flow trace stop

diagnose debug flow filter port 179

diagnose debug flow show function-name enable <----- Show function name.

diagnose debug flow trace start 454545

diagnose debug flow show iprope enable <----- Show trace messages about iprope.

diagnose debug console timestamp enable

diagnose debug enable

2022-07-17 23:24:22 id=20085 trace_id=121106 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 65.0.0.1:13458->11.0.0.1:179) tun_id=10.165.1.249 from IPSec36. flag [S], seq 3859688849, ack 0, win 65535"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=init_ip_session_common line=6003 msg="allocate a new session-762651ef, tun_id=10.165.1.249"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_dnat_check line=5306 msg="in-[IPSec36], out-[]"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_dnat_tree_check line=830 msg="len=0"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_dnat_check line=5318 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=vf_ip_route_input_common line=2604 msg="find a route: flag=00000000 gw-10.89.2.146 via port5"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_fwd_check line=788 msg="in-[IPSec36], out-[port5], skb_flags-02000008, vid-20, app_id: 0, url_cat_id: 0"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=4"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-1, ret-no-match, act-accept"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-4, ret-no-match, act-accept"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-12, ret-matched, act-accept"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_user_identity_check line=1817 msg="ret-matched"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_check_one_policy line=2247 msg="policy-12 is matched, act-accept"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_fwd_check line=825 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-12"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_fwd_auth_check line=844 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-12"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=fw_forward_handler line=874 msg="Allowed by Policy-12:"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 11.0.0.1:179->65.0.0.1:13458) tun_id=0.0.0.0 from port5. flag [S.], seq 2988187304, ack 3859688850, win 42340"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-762651ef, reply direction"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=vf_ip_route_input_common line=2604 msg="find a route: flag=00000000 gw-10.165.1.249 via IPSec36"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=npu_handle_session44 line=1162 msg="Trying to offloading session from port5 to IPSec36, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x00000101"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=fw_forward_dirty_handler line=410 msg="state=00000200, state2=00000000, npu_state=00000101"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=ip_session_core_in line=6528 msg="dir-1, tun_id=10.165.1.249"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface IPSec36, tun_id=10.165.1.249"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel IPSec36"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=esp_output4 line=868 msg="IPsec encrypt/auth"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=ipsec_output_finish line=544 msg="send to 10.165.1.249 via intf-port4"
2022-07-17 23:24:22 id=20085 trace_id=121108 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 65.0.0.1:13458->11.0.0.1:179) tun_id=10.165.1.249 from IPSec36. flag [.], seq 3859688850, ack 2988187305, win 11"
2022-07-17 23:24:22 id=20085 trace_id=121108 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-762651ef, original direction"
2022-07-17 23:24:22 id=20085 trace_id=121108 func=npu_handle_session44 line=1162 msg="Trying to offloading session from IPSec36 to port5, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000101"
2022-07-17 23:24:22 id=20085 trace_id=121108 func=fw_forward_dirty_handler line=410 msg="state=00010200, state2=00000000, npu_state=00000101"
2022-07-17 23:24:22 id=20085 trace_id=121109 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 65.0.0.1:13458->11.0.0.1:179) tun_id=10.165.1.249 from IPSec36. flag [.], seq 3859688850, ack 2988187305, win 11"
2022-07-17 23:24:22 id=20085 trace_id=121109 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-762651ef, original direction"
2022-07-17 23:24:22 id=20085 trace_id=121109 func=npu_handle_session44 line=1162 msg="Trying to offloading session from IPSec36 to port5, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000101"
2022-07-17 23:24:22 id=20085 trace_id=121109 func=fw_forward_dirty_handler line=410 msg="state=00010200, state2=00000000, npu_state=00000101"

Packet sniffer:

Run a packet sniffer for the BGP traffic at the same time. 

FGT # diagnose sniffer packet any "port 179" 6 0 l

Using Original Sniffing Mode
interfaces=[any]
filters=[port 179]

2022-07-17 23:24:22.488687 IPSec36 in 65.0.0.1.13458 -> 11.0.0.1.179: syn 3859688849
0x0000 0000 0000 0001 004a 7561 3609 0800 45c0.......Jua6...E.
0x0010 0048 1ea2 0000 4006 0f4d 4100 0001 0b00.H....@..MA.....
0x0020 0001 3492 00b3 e60e 2d91 0000 0000 d002..4.....-.......
0x0030 ffff 3fc3 0000 0101 1312 30fd 304e 317c..?.......0.0N1|
0x0040 a5f2 1192 6aa6 3d88 43fc 0204 0576 0101....j.=.C....v..
0x0050 0402 0103 030e ......

2022-07-17 23:24:22.488779 port5 out 65.0.0.1.13458 -> 11.0.0.1.179: syn 3859688849
0x0000 0000 0000 0000 004e 656f 2405 0800 45c0.......Neo$...E.
0x0010 0048 1ea2 0000 3f06 104d 4100 0001 0b00.H....?..MA.....
0x0020 0001 3492 00b3 e60e 2d91 0000 0000 d002..4.....-.......
0x0030 ffff 3fc3 0000 0101 1312 30fd 304e 317c..?.......0.0N1|
0x0040 a5f2 1192 6aa6 3d88 43fc 0204 0576 0101....j.=.C....v..
0x0050 0402 0103 030e ......

2022-07-17 23:24:22.489127 port5 in 11.0.0.1.179 -> 65.0.0.1.13458: syn 2988187304 ack 3859688850
0x0000 0000 0000 0001 004c 6f74 0c05 0800 45c0.......Lot....E.
0x0010 0048 4e13 0000 4006 dfdb 0b00 0001 4100.HN...@.......A.
0x0020 0001 00b3 3492 b21c 1ea8 e60e 2d92 d012....4.......-...
0x0030 a564 e1b8 0000 0101 1312 ee20 fdbb c11c.d..............
0x0040 bc26 50a3 35e3 80be ada3 0204 05b4 0101.&P.5...........
0x0050 0402 0103 030e ......

2022-07-17 23:24:22.489156 IPSec36 out 11.0.0.1.179 -> 65.0.0.1.13458: syn 2988187304 ack 3859688850
0x0000 0000 0000 0000 0004 0000 0000 0800 45c0..............E.
0x0010 0048 4e13 0000 3f06 e0db 0b00 0001 4100.HN...?.......A.
0x0020 0001 00b3 3492 b21c 1ea8 e60e 2d92 d012....4.......-...
0x0030 a564 e1b8 0000 0101 1312 ee20 fdbb c11c.d..............
0x0040 bc26 50a3 35e3 80be ada3 0204 05b4 0101.&P.5...........
0x0050 0402 0103 030e ......

2022-07-17 23:24:22.491290 IPSec36 in 65.0.0.1.13458 -> 11.0.0.1.179: ack 2988187305
0x0000 0000 0000 0001 0000 0000 0000 0800 45c0..............E.
0x0010 003c 1ea3 0000 4006 0f58 4100 0001 0b00.<....@..XA.....
0x0020 0001 3492 00b3 e60e 2d92 b21c 1ea9 a010..4.....-.......
0x0030 000b 5990 0000 0101 1312 c888 59fc 9a8a..Y.........Y...
0x0040 6b7b 95ba c8e0 adfd 5740 k{......W@

2022-07-17 23:24:22.491310 port5 out 65.0.0.1.13458 -> 11.0.0.1.179: ack 2988187305
0x0000 0000 0000 0000 004e 656f 2405 0800 45c0.......Neo$...E.
0x0010 003c 1ea3 0000 3f06 1058 4100 0001 0b00.<....?..XA.....
0x0020 0001 3492 00b3 e60e 2d92 b21c 1ea9 a010..4.....-.......
0x0030 000b 5990 0000 0101 1312 c888 59fc 9a8a..Y.........Y...
0x0040 6b7b 95ba c8e0 adfd 5740 k{......W@

2022-07-17 23:24:22.491325 IPSec36 in 65.0.0.1.13458 -> 11.0.0.1.179: psh 3859688850 ack 2988187305
0x0000 0000 0000 0001 0000 0000 0000 0800 45c0..............E.
0x0010 0079 1ea4 0000 4006 0f1a 4100 0001 0b00.y....@...A.....
0x0020 0001 3492 00b3 e60e 2d92 b21c 1ea9 a018..4.....-.......
0x0030 000b 8bdd 0000 0101 1312 2b49 de9c 1179..........+I...y
0x0040 376e 277d f43b f7cf 72c0 ffff ffff ffff7n'}.;..r.......
0x0050 ffff ffff ffff ffff ffff 003d 0104 01f4...........=....
0x0060 00b4 4100 0001 2002 0601 0400 0100 0102..A.............
0x0070 0601 0400 0200 0102 0280 0002 0202 0002................
0x0080 0641 0400 0001 f4 .A.....

2022-07-17 23:24:22.491340 port5 out 65.0.0.1.13458 -> 11.0.0.1.179: psh 3859688850 ack 2988187305
0x0000 0000 0000 0000 004e 656f 2405 0800 45c0.......Neo$...E.
0x0010 0079 1ea4 0000 3f06 101a 4100 0001 0b00.y....?...A.....
0x0020 0001 3492 00b3 e60e 2d92 b21c 1ea9 a018..4.....-.......
0x0030 000b 8bdd 0000 0101 1312 2b49 de9c 1179..........+I...y
0x0040 376e 277d f43b f7cf 72c0 ffff ffff ffff7n'}.;..r.......
0x0050 ffff ffff ffff ffff ffff 003d 0104 01f4...........=....
0x0060 00b4 4100 0001 2002 0601 0400 0100 0102..A.............
0x0070 0601 0400 0200 0102 0280 0002 0202 0002................
0x0080 0641 0400 0001 f4 .A.....

Note: Starting from v7.2.0 and above, it is possible to filter BGP debug logs by a specific peer. Follow this KB article for more details: Technical Tip: Capture BGP debugs for a specific neighbor.

diagnose debug disable

diagnose debug reset

diagnose ip router bgp all enable
diagnose ip router bgp level info
diagnose ip router bgp set-filter neighbor <neighbor address>  <-----
diagnose debug enable

This will help to check the BGP state.

To disable BGP debugging: 

diagnose ip router bgp all disable

diagnose ip router bgp level none

diagnose debug reset

To reset the filter in cases where it is necessary to tailor the filter towards another BGP peer, use the following command:

diagnose ip router bgp set-filter reset 

Note: The above debug commands are applicable for both IPv4 and IPv6 BGP neighbors. The neighbor address filter can also be set for both IP versions.