FGT # diagnose debug flow filter(i) vf – Index of virtual domain.
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
FGT # config vdom
FGT (vdom) edit
<vdom> Virtual Domain Name
root
test
FGT (vdom) edit root
current vf=root:0
FGT (vdom) edit test
current vf=test:3
FGT # diagnose debug flow filter addr 10.1.1.1While doing troubleshooting on the FortiGate, it might be required to review traffic traversing the device from multiple addresses. Multiple addresses can also be defined within a filter as shown below.
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: 10.1.1.1-10.1.1.1
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 andThe benefit of using ‘addr’ field is that bidirectional traffic can be seen as compared to using saddr/daddr which is discussed next.
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: 10.1.1.1 and 10.2.2.2
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 or
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: 10.1.1.1 or 10.2.2.2
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
FGT # diagnose debug flow filter saddrThe above filter will match the traffic between IP range from 10.1.1.1 to 10.1.1.100.
<xxx.xxx.xxx.xxx> Source IP (from).
FGT # diagnose debug flow filter saddr 10.1.1.1
<xxx.xxx.xxx.xxx> Source IP (to).
FGT # diagnose debug flow filter saddr 10.1.1.1 10.1.1.100
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: any
host saddr: 10.1.1.1-10.1.1.100
Host daddr: any
port: any
sport: any
dport: any
FGT # diagnose debug flow filter port 25If the traffic matches several ports, a port range can be defined as well.
FGT # diagnose debug flow filter port 443
<xxx> Port (to).
FGT # diagnose debug flow filter port 443 450
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: any
host saddr: any
Host daddr: any
port: 443-450
sport: any
dport: any
FGT # diagnose debug flow filter sport 443(viii) dport – destination port.
FGT # diagnose debug flow filter
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: 443-443
dport: any
FGT # diagnose debug flow filter sport 443 450
FGT # diagnose debug flow filter
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: 443-450
dport: any
# diagnose debug flow filter clearOnce the debug filter is defined, the following commands can be used to view the matching traffic.
# diagnose debug flow trace start <count>
# diagnose debug enable
# diagnose debug console timestamp enable <----- Enables timestamp (system time).
# diagnose debug disable
# diagnose debug reset
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.