FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
caunon
Staff
Staff
Article Id 218083
Description

This article describes how to check the BGP traffic flow in debugs of the FortiGate.

Scope

FortiGate.

Solution

The following will check if the packets have been blocked or allowed by the expected firewall policy or other features properly.

 

To check and investigate whether BGP traffic can be allowed by firewall policy ID or hit the correct function as it is expected or not? in FortiGate.

 

Run the following CLI commands to troubleshoot further.

At CLI command of FortiGate:

 

# diagnose debug reset

# diagnose debug disable

# diagnose debug flow filter clear

# diagnose debug flow trace stop

 

# diagnose debug flow filter port 179

# diagnose debug flow show function-name enable

# diagnose debug flow trace start 454545

# diagnose debug flow show iprope enable

# diagnose debug console timestamp enable

# diagnose debug enable

 

To stop debugging.

 

# diagnose debug disable

# diagnose debug reset

# diagnose debug flow filter clear

# diagnose debug flow trace stop

 

Example:

 

# diagnose debug reset

# diagnose debug disable

# diagnose debug flow filter clear

# diagnose debug flow trace stop

 

# diagnose debug flow filter port 179

# diagnose debug flow show function-name enable

show function name

# diagnose debug flow trace start 454545

# diagnose debug flow show iprope enable

show trace messages about iprope

# diagnose debug console timestamp enable

# diagnose debug enable


2022-07-17 23:24:22 id=20085 trace_id=121106 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 65.0.0.1:13458->11.0.0.1:179) tun_id=10.165.1.249 from IPSec36. flag [S], seq 3859688849, ack 0, win 65535"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=init_ip_session_common line=6003 msg="allocate a new session-762651ef, tun_id=10.165.1.249"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_dnat_check line=5306 msg="in-[IPSec36], out-[]"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_dnat_tree_check line=830 msg="len=0"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_dnat_check line=5318 msg="result: skb_flags-02000008, vid-20, ret-no-match, act-accept, flag-00000000"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=vf_ip_route_input_common line=2604 msg="find a route: flag=00000000 gw-10.89.2.146 via port5"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_fwd_check line=788 msg="in-[IPSec36], out-[port5], skb_flags-02000008, vid-20, app_id: 0, url_cat_id: 0"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=4"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-1, ret-no-match, act-accept"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-4, ret-no-match, act-accept"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-12, ret-matched, act-accept"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_user_identity_check line=1817 msg="ret-matched"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=__iprope_check_one_policy line=2247 msg="policy-12 is matched, act-accept"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_fwd_check line=825 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-12"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=iprope_fwd_auth_check line=844 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-12"
2022-07-17 23:24:22 id=20085 trace_id=121106 func=fw_forward_handler line=874 msg="Allowed by Policy-12:"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 11.0.0.1:179->65.0.0.1:13458) tun_id=0.0.0.0 from port5. flag [S.], seq 2988187304, ack 3859688850, win 42340"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-762651ef, reply direction"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=vf_ip_route_input_common line=2604 msg="find a route: flag=00000000 gw-10.165.1.249 via IPSec36"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=npu_handle_session44 line=1162 msg="Trying to offloading session from port5 to IPSec36, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x00000101"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=fw_forward_dirty_handler line=410 msg="state=00000200, state2=00000000, npu_state=00000101"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=ip_session_core_in line=6528 msg="dir-1, tun_id=10.165.1.249"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface IPSec36, tun_id=10.165.1.249"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel IPSec36"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=esp_output4 line=868 msg="IPsec encrypt/auth"
2022-07-17 23:24:22 id=20085 trace_id=121107 func=ipsec_output_finish line=544 msg="send to 10.165.1.249 via intf-port4"
2022-07-17 23:24:22 id=20085 trace_id=121108 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 65.0.0.1:13458->11.0.0.1:179) tun_id=10.165.1.249 from IPSec36. flag [.], seq 3859688850, ack 2988187305, win 11"
2022-07-17 23:24:22 id=20085 trace_id=121108 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-762651ef, original direction"
2022-07-17 23:24:22 id=20085 trace_id=121108 func=npu_handle_session44 line=1162 msg="Trying to offloading session from IPSec36 to port5, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000101"
2022-07-17 23:24:22 id=20085 trace_id=121108 func=fw_forward_dirty_handler line=410 msg="state=00010200, state2=00000000, npu_state=00000101"
2022-07-17 23:24:22 id=20085 trace_id=121109 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 65.0.0.1:13458->11.0.0.1:179) tun_id=10.165.1.249 from IPSec36. flag [.], seq 3859688850, ack 2988187305, win 11"
2022-07-17 23:24:22 id=20085 trace_id=121109 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-762651ef, original direction"
2022-07-17 23:24:22 id=20085 trace_id=121109 func=npu_handle_session44 line=1162 msg="Trying to offloading session from IPSec36 to port5, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000101"
2022-07-17 23:24:22 id=20085 trace_id=121109 func=fw_forward_dirty_handler line=410 msg="state=00010200, state2=00000000, npu_state=00000101"

Contributors