Technical Tip: Troubleshooting static URL filter by 'debug ips'

mtse · ‎03-05-2023

Description

The article describes the command for troubleshooting web filtering inquiries to FortiGuard. But in some cases, it is also necessary to troubleshoot static URL entries.

In such a case, the 'debug IPS' command can be used:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-WEB-filtering-rating-problems-when-u...

Scope

FortiOS.

Solution

For example, if a static URL filter with a long list of entries is configured, it is required to check which particular entry in the static filter is matching. But when the list is very long, it is difficult to identify the matching entry by just visual inspection.

Instead commands below can be used:

# diagnose ips filter set "host <client IP>"

# diagnose debug enable

# diagnose ips debug enable all

To stop it:

# diagnose debug disable

# diagnose debug reset

# diagnose ips debug disable all

# config firewall policy

edit 16

set name "TEST"

set uuid 599ff2f4-bbd3-51ed-6b23-63d357c63b74

set srcintf "port2"

set dstintf "port1"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "ALL"

set utm-status enable

set ssl-ssh-profile "certificate-inspection"

set webfilter-profile "test-WF"

set logtraffic all

set nat enable

# config webfilter profile

edit "test-WF"

config web

set urlfilter-table 1

end

# config webfilter urlfilter

edit 1

set name "Auto-webfilter-urlfilter_2kn8efbkh"

config entries

edit 1

set url "t.co"

set action block

When the client visited the website 'sharepoint.com', the debug will show that rule 'Auto-webfilter-urlfilter' is matching with 'id:1' (entry 1 in the static URL filter).

[283@929]ips_eng_log_webfilter: sess:28096 type:7 action:1 host:www.sharepoint.com source:2 url:/

[283@929]ips_process_event: ctx 0: 4 => 3

[283@929]ips_handle_pkt_verdict: drop a packet, size=557

[283@929]ips_process_event: ctx 0: 3 => 5

[283@-1]ips_run_packet_prepare: got a packet, id=8191, size=557

[283@-1]ips_process_event: ctx 0: 5 => 0

PACKET id:8191 len:557 vf:0 vrf:0 fw:16 view:3 derived:0 encap:0 log:(traffic:0 pre:1 post:0)

imp2p:0x0 proxy:0x0 features:0x101 flowutm:1

10.200.1.100:63431 -> 20.112.52.29:443 protocol:6

IP length:557b, header:20b, ttl:127, tos:0, id:22692

TCP payload:517b, header:20b

TCP seq:2147835016, ack:1412222144, win:1026, flags:***AP***

[283@930]ips_run_decode: ips_pkt_id: 8191

0000 45 00 02 2D 58 A4 40 00 7F 06 4C 6E 0A C8 01 64 E..-X.@...Ln...d

0010 14 70 34 1D F7 C7 01 BB 80 05 5C 88 54 2C CC C0 .p4.......\.T,..

0020 50 18 04 02 BC 36 00 00 16 03 01 02 00 01 00 01 P....6..........

0030 FC 03 03 D2 7A 0B 08 46 07 9E 0F 18 5D A8 67 DE ....z..F....].g.

0040 73 0D 1D 58 FE 58 C3 15 E9 3F 54 10 68 62 15 07 s..X.X...?T.hb..

0050 63 D3 5D 20 5B CB E0 FD EC 79 98 FB 72 25 30 C1 c.] [....y..r%0.

0060 13 0E D4 F5 30 05 74 F5 C3 90 F5 25 90 B3 5B 0C ....0.t....%..[.

0070 C4 1A EA 91 00 20 0A 0A 13 01 13 02 13 03 C0 2B ..... .........+

0080 C0 2F C0 2C C0 30 CC A9 CC A8 C0 13 C0 14 00 9C ./.,.0..........

0090 00 9D 00 2F 00 35 01 00 01 93 CA CA 00 00 00 00 .../.5..........

00A0 00 17 00 15 00 00 12 77 77 77 2E 73 68 61 72 65 .......www.share

00B0 70 6F 69 6E 74 2E 63 6F 6D 00 0B 00 02 01 00 00 point.com.......

00C0 05 00 05 01 00 00 00 00 00 2B 00 07 06 EA EA 03 .........+......

00D0 04 03 03 00 17 00 00 00 33 00 2B 00 29 AA AA 00 ........3.+.)......

....

[283@930]ips_match_rule: pattern matched 1200000,1200000: ssl-0-Auto-webfilter-urlfilter_2kn8efbkh-1200000

[283@930]ips_match_rule: matched rule 1200000 1200000 ssl-0-Auto-webfilter-urlfilter_2kn8efbkh-1200000 (weight:0)

[283@930]ips_match_candidates: set best rule 1200000 1200000 ssl-0-Auto-webfilter-urlfilter_2kn8efbkh-1200000

[283@930]match_urlf: matched urlf rule ssl-0-Auto-webfilter-urlfilter_2kn8efbkh-1200000, id:1, action:1, log=1

[283@930]match_urlf: disarm deferred URLF actions when request is to be blocked.