Description
This article describes the smart use of filters to review the matched traffic traversing the FortiGate.
Scope
FortiGate.
Solution
By default, there are no filters defined as can be seen in the output below.
FGT # diagnose debug flow filter
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
(i) vf – Index of the virtual domain.
This is related to the different VDOMs configured on FortiGate. If there are no VDOMs defined, the default value is 0.
If there are several VDOMs configured, the vf value can be found as follows:
FGT # config vdom
FGT (vdom) edit
<vdom> Virtual Domain Name
root
test
FGT (vdom) edit root
current vf=root:0
FGT (vdom) edit test
current vf=test:3
The VDOM list command can be used as well:
FGT # diagnose sys vd list
system fib version=97
list virtual firewall info:
name=root/root index=0 enabled
(ii) proto – Protocol Number.
The following protocol numbers can be defined on the FortiGate.
Protocol number
(iii) Host addr - IP address.
Within a debug filter, a single address can be defined as well as multiple addresses. This address can be either a source or destination address matching the debug flow.
FGT # diagnose debug flow filter addr 10.1.1.1
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: 10.1.1.1-10.1.1.1
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
While doing troubleshooting on the FortiGate, it might be required to review traffic traversing the device from multiple addresses. Multiple addresses can also be defined within a filter as shown below.
FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 and
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: 10.1.1.1 and 10.2.2.2
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 or
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: 10.1.1.1 or 10.2.2.2
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
The benefit of using ‘addr’ field is that bidirectional traffic can be seen as compared to using saddr/daddr which is discussed next.
(iv) Host saddr – Source IP address.
A single source address is defined or a range of multiple source addresses can be defined. It defines the source IP address initiating the traffic.
FGT # diagnose debug flow filter saddr
<xxx.xxx.xxx.xxx> Source IP (from).
FGT # diagnose debug flow filter saddr 10.1.1.1
<xxx.xxx.xxx.xxx> Source IP (to).
FGT # diagnose debug flow filter saddr 10.1.1.1 10.1.1.100
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: any
host saddr: 10.1.1.1-10.1.1.100
Host daddr: any
port: any
sport: any
dport: any
The above filter will match the traffic between the IP range from 10.1.1.1 to 10.1.1.100.
(v) Host daddr – Destination IP address.
The same logic of the source address is used in the destination address. However, it defines the server/destination to which the traffic is sent.
(vi) Port – port number.
A single port number can be defined as below. This matches both the client/server port number.
FGT # diagnose debug flow filter port 25
If the traffic matches several ports, a port range can be defined as well.
FGT # diagnose debug flow filter port 443
<xxx> Port (to).
FGT # diagnose debug flow filter port 443 450
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: any
host saddr: any
Host daddr: any
port: 443-450
sport: any
dport: any
(vii) Sport – source port.
This matches only the port number of the source IP address (client IP) where the traffic is initiated.
FGT # diagnose debug flow filter sport 443
FGT # diagnose debug flow filter
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: 443-443
dport: any
FGT # diagnose debug flow filter sport 443 450
FGT # diagnose debug flow filter
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: 443-450
dport: any
(viii) dport – destination port.
This matches only the port number of the destination IP address (server IP) where the traffic is sent.
In order to clear the debug filter, the following command is used.
diagnose debug flow filter clear
Once the debug filter is defined, the following commands can be used to view the matching traffic.
diagnose debug flow trace start <count>
diagnose debug enable
diagnose debug console timestamp enable <----- Enables timestamp (system time).
Once debugs have been collected, disable debugging by:
diagnose debug disable
diagnose debug reset
Additional Info:
(iii) Host addr - IP address.
(iv) Host saddr – Source IP address.
(v) Host daddr – Destination IP address.
When doing the address (IP address, Source IP address, Destination IP Address) filter:
diag debug flow filter addr 1.1.1.1 2.2.2.2
diag debug flow filter
vf: any
proto: any
host addr: 1.1.1.1-2.2.2.2
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
The first address (ip1/from) is BIGGER than the second address (ip2/to), the IP address between this range is NOT selected.
diag debug flow filter addr 2.2.2.2 1.1.1.1
diag debug flow filter
vf: any
proto: any
host addr: not in 1.1.1.1-2.2.2.2
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
It only affects the address filter, and not the port filter. When putting the port filter first, if the port is larger than the second port, it will give the error 'not allowed'.
diag debug flow filter sport 80 22
wrong input
Command fail. Return code -61
Related article:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.