FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 195025
Description
This article describes the smart use of filters to review the matched traffic traversing the FortiGate.

Solution
By default, there are no filters defined as can be seen in the output below.
FGT # diagnose debug flow filter
        vf: any
        proto: any
        Host addr: any
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any
(i)    vf – Index of virtual domain.

This is related to the different VDOMs configured on FortiGate. If there are no VDOMs defined, the default value is 0.
If there are several VDOMs configured, the vf value can be found as follows:
FGT # config vdom

FGT (vdom) edit
<vdom>    Virtual Domain Name
root
test

FGT (vdom) edit root
current vf=root:0

FGT (vdom) edit test
current vf=test:3

(ii)    proto – Protocol Number.

The following protocol numbers can be defined on the FortiGate.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number

(iii)    Host addr - IP address.

Within a debug filter, a single address can be defined as well as multiple addresses. This address can be either a source or destination address matching the debug flow.
FGT # diagnose debug flow filter addr 10.1.1.1
FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: 10.1.1.1-10.1.1.1
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any
While doing troubleshooting on the FortiGate, it might be required to review traffic traversing the device from multiple addresses. Multiple addresses can also be defined within a filter as shown below.
FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 and

FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: 10.1.1.1 and 10.2.2.2
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any

FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 or

FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: 10.1.1.1 or 10.2.2.2
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any
The benefit of using ‘addr’ field is that bidirectional traffic can be seen as compared to using saddr/daddr which is discussed next.

(iv)    Host saddr – Source IP address.

A single source address is defined or a range of multiple source addresses can be defined. It defines the source IP address initiating the traffic.
FGT # diagnose debug flow filter saddr
<xxx.xxx.xxx.xxx>    Source IP (from).

FGT # diagnose debug flow filter saddr 10.1.1.1
<xxx.xxx.xxx.xxx>    Source IP (to).

FGT # diagnose debug flow filter saddr 10.1.1.1 10.1.1.100

FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: any
        host saddr: 10.1.1.1-10.1.1.100
        Host daddr: any
        port: any
        sport: any
        dport: any
The above filter will match the traffic between IP range from 10.1.1.1 to 10.1.1.100.

(v)    Host daddr – Destination IP address.

Same logic of source address is used in destination address. However, it defines the server/destination to which the traffic is sent.

(vi)    Port – port number.

A single port number can be defined as below. This matches both the client/server port number.
FGT # diagnose debug flow filter port 25
If the traffic matches several ports, a port range can be defined as well.
FGT # diagnose debug flow filter port 443
<xxx>    Port (to).

FGT # diagnose debug flow filter port 443 450

FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: any
        host saddr: any
        Host daddr: any
        port: 443-450
        sport: any
        dport: any

(vii)    Sport – source port.

This matches only the port number of the source IP address (client IP) where the traffic is initiated.
FGT # diagnose debug flow filter sport 443

FGT # diagnose debug flow filter

        vf: any
        proto: any
        Host addr: any
        Host saddr: any
        Host daddr: any
        port: any
        sport: 443-443
        dport: any

FGT # diagnose debug flow filter sport 443 450

FGT # diagnose debug flow filter

        vf: any
        proto: any
        Host addr: any
        Host saddr: any
        Host daddr: any
        port: any
        sport: 443-450
        dport: any
(viii)    dport – destination port.

This matches only the port number of the destination IP address (server IP) where the traffic is sent.

In order to clear the debug filter, the following command is used.
# diagnose debug flow filter clear
Once the debug filter is defined, the following commands can be used to view the matching traffic.
# diagnose debug flow trace start <count>
# diagnose debug enable
# diagnose debug console timestamp enable  <----- Enables timestamp (system time).

Once debugs have been collected, please disable debugging by;
# diagnose debug disable
# diagnose debug reset

Related Articles

Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate wi...

Contributors