- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNDR
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiScan
- FortiSandbox
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- Customer Service
- Community Groups
- Article Ideas
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Using filters to review traffic tra...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes the smart use of filters to review the matched traffic traversing the FortiGate.
Solution
By default, there are no filters defined as can be seen in the output below.
This is related to the different VDOMs configured on FortiGate. If there are no VDOMs defined, the default value is 0.
If there are several VDOMs configured, the vf value can be found as follows:
(ii) proto – Protocol Number.
The following protocol numbers can be defined on the FortiGate.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number
(iii) Host addr - IP address.
Within a debug filter, a single address can be defined as well as multiple addresses. This address can be either a source or destination address matching the debug flow.
(iv) Host saddr – Source IP address.
A single source address is defined or a range of multiple source addresses can be defined. It defines the source IP address initiating the traffic.
(v) Host daddr – Destination IP address.
Same logic of source address is used in destination address. However, it defines the server/destination to which the traffic is sent.
(vi) Port – port number.
A single port number can be defined as below. This matches both the client/server port number.
(vii) Sport – source port.
This matches only the port number of the source IP address (client IP) where the traffic is initiated.
This matches only the port number of the destination IP address (server IP) where the traffic is sent.
In order to clear the debug filter, the following command is used.
Once debugs have been collected, please disable debugging by;
This article describes the smart use of filters to review the matched traffic traversing the FortiGate.
Solution
By default, there are no filters defined as can be seen in the output below.
FGT # diagnose debug flow filter(i) vf – Index of virtual domain.
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
This is related to the different VDOMs configured on FortiGate. If there are no VDOMs defined, the default value is 0.
If there are several VDOMs configured, the vf value can be found as follows:
FGT # config vdom
FGT (vdom) edit
<vdom> Virtual Domain Name
root
test
FGT (vdom) edit root
current vf=root:0
FGT (vdom) edit test
current vf=test:3
(ii) proto – Protocol Number.
The following protocol numbers can be defined on the FortiGate.
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/451530/protocol-number
(iii) Host addr - IP address.
Within a debug filter, a single address can be defined as well as multiple addresses. This address can be either a source or destination address matching the debug flow.
FGT # diagnose debug flow filter addr 10.1.1.1While doing troubleshooting on the FortiGate, it might be required to review traffic traversing the device from multiple addresses. Multiple addresses can also be defined within a filter as shown below.
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: 10.1.1.1-10.1.1.1
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 andThe benefit of using ‘addr’ field is that bidirectional traffic can be seen as compared to using saddr/daddr which is discussed next.
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: 10.1.1.1 and 10.2.2.2
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 or
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: 10.1.1.1 or 10.2.2.2
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
(iv) Host saddr – Source IP address.
A single source address is defined or a range of multiple source addresses can be defined. It defines the source IP address initiating the traffic.
FGT # diagnose debug flow filter saddrThe above filter will match the traffic between IP range from 10.1.1.1 to 10.1.1.100.
<xxx.xxx.xxx.xxx> Source IP (from).
FGT # diagnose debug flow filter saddr 10.1.1.1
<xxx.xxx.xxx.xxx> Source IP (to).
FGT # diagnose debug flow filter saddr 10.1.1.1 10.1.1.100
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: any
host saddr: 10.1.1.1-10.1.1.100
Host daddr: any
port: any
sport: any
dport: any
(v) Host daddr – Destination IP address.
Same logic of source address is used in destination address. However, it defines the server/destination to which the traffic is sent.
(vi) Port – port number.
A single port number can be defined as below. This matches both the client/server port number.
FGT # diagnose debug flow filter port 25If the traffic matches several ports, a port range can be defined as well.
FGT # diagnose debug flow filter port 443
<xxx> Port (to).
FGT # diagnose debug flow filter port 443 450
FGT # diagnose debug flow filter
vf: any
proto: any
host addr: any
host saddr: any
Host daddr: any
port: 443-450
sport: any
dport: any
(vii) Sport – source port.
This matches only the port number of the source IP address (client IP) where the traffic is initiated.
FGT # diagnose debug flow filter sport 443(viii) dport – destination port.
FGT # diagnose debug flow filter
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: 443-443
dport: any
FGT # diagnose debug flow filter sport 443 450
FGT # diagnose debug flow filter
vf: any
proto: any
Host addr: any
Host saddr: any
Host daddr: any
port: any
sport: 443-450
dport: any
This matches only the port number of the destination IP address (server IP) where the traffic is sent.
In order to clear the debug filter, the following command is used.
# diagnose debug flow filter clearOnce the debug filter is defined, the following commands can be used to view the matching traffic.
# diagnose debug flow trace start <count>
# diagnose debug enable
# diagnose debug console timestamp enable <----- Enables timestamp (system time).
Once debugs have been collected, please disable debugging by;
# diagnose debug disable
# diagnose debug reset
Related Articles
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2023 Fortinet, Inc. All Rights Reserved.