Technical Tip : Troubleshooting ICAP Profile

ssriswadpong · ‎11-29-2021

Description

This article describes how to collect logs for troubleshooting ICAP profile

Scope

FortiGate

Solution

1). Run these debugging commands

Follow the related KB article to capture the output in the text file with Putty:

https://community.fortinet.com/t5/No-tags-TKBs/Technical-Note-How-to-create-a-log-file-of-a-session-...

# diagnose debug reset
# diagnose debug console timestamp enable
# diagnose wad debug enable category icap

# diagnose wad debug enable category http ---> (This command is optional if you need to see HTTP debugging detail also)
# diagnose wad debug enable level info
# diagnose debug enable

2). Generate the related traffic to trigger the ICAP profile

3). Stop debugging by

# diagnose debug disable

# diagnose debug reset

Sample of the output
Source IP address: 192.168.1.34
Destination: https://dataleaktest.com/
ICAP server IP address: 192.168.1.220

[I]2021-08-02 16:41:52.383860 [p:8338][s:590xxxx] wad_http_full_ses_make :12678 make ok session=0x7f91082a20 server=0x7f90f82188.
[I]2021-08-02 16:41:52.384437 [p:8338][s:590xxxx][r:72] wad_dump_http_request :2548 hreq=0x7f8e40c048 Received request from client: 192.168.1.34:51608

GET / HTTP/1.1
Host: dataleaktest.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en

[I]2021-08-02 16:41:52.384522 [p:8338][s:590xxxx][r:72] wad_http_parse_host :1667 host=[16]dataleaktest.com
[I]2021-08-02 16:41:52.384537 [p:8338][s:590xxxx][r:72] wad_http_str_canonicalize :2182 enc=0 path=/ len=1 changes=0
[I]2021-08-02 16:41:52.384569 [p:8338][s:590xxxx][r:72] wad_http_connect_server :5846 [0x7f8e40c048] Use old server: N/A:0
[I]2021-08-02 16:41:52.384651 [p:8338][s:590xxxx][r:72] wad_icap_srv_conn_new :559 icap server 0x7f9176f930 conn 0x7f90e1c048 ireq 0x7f8e4272c0 connecting
[I]2021-08-02 16:41:52.384669 [p:8338] wad_icap_create_new_tcp :782 Allocate ses_ctx 0x7f8e5276e8 -> 192.168.1.220:1344
[I]2021-08-02 16:41:52.384776 [p:8338] wad_http_clt_icap_body_done :1213 msg=0x7f8e40c048
Proc ICAP request 0x7f8e427048(0x7f8e4272c0) switch/is_req: 0/1
[I]2021-08-02 16:41:52.385027 [p:8338] wad_icap_srv_conn_on_connected :487 ICAP 0x7f90e1c048:0x7f8e4272c0:0x7f920f8c48:(:15585->192.168.1.220:1344): connected
[I]2021-08-02 16:41:52.385098 [p:8338] wad_icap_conn_timer_enable :883 ICAP req(0x7f8e4272c0) conn(0x7f90e1c048) timer Enable.
[I]2021-08-02 16:41:52.385663 [p:8338] icap_parse_icap_start_line :28 icap stream=0x7f8e4272c0 status line ret=1 invalid=0.
[I]2021-08-02 16:41:52.385682 [p:8338] icap_parse_icap_headers :325 ICAP hdr Server invalid/unknown: 0/1
[I]2021-08-02 16:41:52.385692 [p:8338] icap_parse_icap_headers :325 ICAP hdr ISTag invalid/unknown: 0/1
[I]2021-08-02 16:41:52.385701 [p:8338] icap_parse_icap_headers :325 ICAP hdr X-Response-Desc invalid/unknown: 0/1
[I]2021-08-02 16:41:52.385710 [p:8338] icap_parse_icap_headers :325 ICAP hdr X-Response-Info invalid/unknown: 0/1
[I]2021-08-02 16:41:52.385726 [p:8338] wad_http_icap_clt_request :714 icap=0x7f8e427048
[W]2021-08-02 16:41:52.385734 [p:8338] wad_icap_srv_conn_close :377 ICAP 0x7f90e1c048:0x7f8e4272c0:0x7f920f8c48:(:15585->192.168.1.220:1344): close
[I]2021-08-02 16:41:52.385750 [p:8338] wad_http_icap_notify :937 icap=0x7f8e427048 len=422 request=1 clt_strm=0x7f8e44c778
[I]2021-08-02 16:41:52.385780 [p:8338][s:590xxxx][r:73] wad_http_icap_dyn_fwd_start_proc :246 start proc msg 0x7f8e40c4d8 icap=0x7f8e427048, len=0
[I]2021-08-02 16:41:52.385805 [p:8338][s:590xxxx][r:73] wad_dump_fwd_http_req :2554 hreq=0x7f8e40c048 Forward request to server:
GET / HTTP/1.1

Host: dataleaktest.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en
Connection: keep-alive

[I]2021-08-02 16:41:52.915582 [p:8338][s:590xxxx] wad_dump_http_resp :2569 hreq=0x7f8e40c048 Received response from server:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By-Plesk: PleskWin
Date: Mon, 02 Aug 2021 09:41:51 GMT
Content-Length: 45938

[I]2021-08-02 16:41:52.915640 [p:8338][s:590xxxx] wad_http_fwd_non_cacheable_resp :2268 resp(0x7f914085e0) starts processing.
[I]2021-08-02 16:41:52.915650 [p:8338][s:590xxxx] wad_http_resp_setup_fwd_resp :2245 msg(0x7f914085e0) build fwd resp!
[W]2021-08-02 16:41:52.915661 [p:8338][s:590xxxx] wad_http_icap_resp_enabled :1159 ICAP=0x7f923238a8 req_method: 0
[I]2021-08-02 16:41:52.915685 [p:8338][s:590xxxx] wad_icap_srv_conn_new :559 icap server 0x7f9176f930 conn 0x7f90e1c048 ireq 0x7f8e4277b0 connecting
[I]2021-08-02 16:41:52.915698 [p:8338][s:590xxxx] wad_icap_srv_conn_on_connected :487 ICAP 0x7f90e1c048:0x7f8e4277b0:0x7f920f8ca8:(:15585->192.168.1.220:1344): connected