FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 195025

Description

 

This article describes the smart use of filters to review the matched traffic traversing the FortiGate.

 

Scope

 

FortiGate.

Solution

 

By default, there are no filters defined as can be seen in the output below.

 

FGT # diagnose debug flow filter
        vf: any
        proto: any
        Host addr: any
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any

 

(i)    vf – Index of the virtual domain.

This is related to the different VDOMs configured on FortiGate. If there are no VDOMs defined, the default value is 0.
If there are several VDOMs configured, the vf value can be found as follows:

 

FGT # config vdom

FGT (vdom) edit
<vdom>    Virtual Domain Name
root
test

FGT (vdom) edit root
current vf=root:0

FGT (vdom) edit test
current vf=test:3


The VDOM list command can be used as well:


      FGT #   diagnose sys vd list
    system fib version=97
    list virtual firewall info:
    name=root/root index=0 enabled


(ii)    proto – Protocol Number.

The following protocol numbers can be defined on the FortiGate.
Protocol number

(iii)    Host addr - IP address.

Within a debug filter, a single address can be defined as well as multiple addresses. This address can be either a source or destination address matching the debug flow.

 

FGT # diagnose debug flow filter addr 10.1.1.1
FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: 10.1.1.1-10.1.1.1
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any

 

While doing troubleshooting on the FortiGate, it might be required to review traffic traversing the device from multiple addresses. Multiple addresses can also be defined within a filter as shown below.

 

FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 and

FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: 10.1.1.1 and 10.2.2.2
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any

FGT # diagnose debug flow filter addr 10.1.1.1 10.2.2.2 or

FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: 10.1.1.1 or 10.2.2.2
        Host saddr: any
        Host daddr: any
        port: any
        sport: any
        dport: any

 

The benefit of using ‘addr’ field is that bidirectional traffic can be seen as compared to using saddr/daddr which is discussed next.

(iv)    Host saddr – Source IP address.

A single source address is defined or a range of multiple source addresses can be defined. It defines the source IP address initiating the traffic.

 

FGT # diagnose debug flow filter saddr
<xxx.xxx.xxx.xxx>    Source IP (from).

FGT # diagnose debug flow filter saddr 10.1.1.1
<xxx.xxx.xxx.xxx>    Source IP (to).

FGT # diagnose debug flow filter saddr 10.1.1.1 10.1.1.100

FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: any
        host saddr: 10.1.1.1-10.1.1.100
        Host daddr: any
        port: any
        sport: any
        dport: any

 

The above filter will match the traffic between the IP range from 10.1.1.1 to 10.1.1.100.

(v)    Host daddr – Destination IP address.

The same logic of the source address is used in the destination address. However, it defines the server/destination to which the traffic is sent.

(vi)    Port – port number.

A single port number can be defined as below. This matches both the client/server port number.

 

FGT # diagnose debug flow filter port 25

 

If the traffic matches several ports, a port range can be defined as well.

 

FGT # diagnose debug flow filter port 443
<xxx>    Port (to).

FGT # diagnose debug flow filter port 443 450

FGT # diagnose debug flow filter

        vf: any
        proto: any
        host addr: any
        host saddr: any
        Host daddr: any
        port: 443-450
        sport: any
        dport: any


(vii)    Sport – source port.

This matches only the port number of the source IP address (client IP) where the traffic is initiated.

 

FGT # diagnose debug flow filter sport 443

FGT # diagnose debug flow filter

        vf: any
        proto: any
        Host addr: any
        Host saddr: any
        Host daddr: any
        port: any
        sport: 443-443
        dport: any

FGT # diagnose debug flow filter sport 443 450

FGT # diagnose debug flow filter

        vf: any
        proto: any
        Host addr: any
        Host saddr: any
        Host daddr: any
        port: any
        sport: 443-450
        dport: any

 

(viii)    dport – destination port.

This matches only the port number of the destination IP address (server IP) where the traffic is sent.

In order to clear the debug filter, the following command is used.

 

diagnose debug flow filter clear

 

Once the debug filter is defined, the following commands can be used to view the matching traffic.

 

diagnose debug flow trace start <count>
diagnose debug enable
diagnose debug console timestamp enable  <----- Enables timestamp (system time).


Once debugs have been collected, disable debugging by:

 

diagnose debug disable
diagnose debug reset

 

Additional Info:

(iii)    Host addr - IP address.

(iv)    Host saddr – Source IP address.
(v)    Host daddr – Destination IP address.

 

When doing the address (IP address, Source IP address, Destination IP Address) filter:

  1. The first address (ip1/from) is SMALLER than the second address (ip2/to), the IP address between this range is selected.

diag debug flow filter addr 1.1.1.1 2.2.2.2

diag debug flow filter
vf: any
proto: any
host addr: 1.1.1.1-2.2.2.2
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any

 

  • The first address (ip1/from) is BIGGER than the second address (ip2/to), the IP address between this range is NOT selected. 


    diag debug flow filter addr 2.2.2.2 1.1.1.1

    diag debug flow filter
    vf: any
    proto: any
    host addr: not in 1.1.1.1-2.2.2.2
    Host saddr: any
    Host daddr: any
    port: any
    sport: any
    dport: any

It only affects the address filter, and not the port filter. When putting the port filter first, if the port is larger than the second port, it will give the error 'not allowed'.


diag debug flow filter sport 80 22
wrong input
Command fail. Return code -61

 

Related article:

Troubleshooting Tip: First steps to troubleshoot connectivity problems to or through a FortiGate wit...