Created on 11-28-2018 01:35 AM Edited on 08-22-2024 08:08 AM By Stephen_G
Description
This article describes the 'diagnose wad debug' command and provides usage examples.
Solution
To debug traffic proxied through the FortiGate, a WAD-related diagnose command has been added to FortiOS 5.6. The main purpose of this command is to get detailed info on client/server traffic that is controlled by the WAD processes.
The 'diagnose wad debug' command has the following main options:
diagnose wad debug ?
enable <- Enable debug setting.
disable <- Disable debug setting.
show <- Show debug setting.
clear <- Clear debug setting.
display <- Display setting.
save-http-req-crash <- Save HTTP request when WAD worker crashes.
By default, the 'diagnose wad debug' command troubleshooting options are set to the following values:
diagnose wad debug show
Category: not set <- There is no category set.
Level: info <- The debugging level is set to informational.
Display: pid disabled <- The PID display option is disabled.
Note: In order to start capturing WAD related data, the category option must be set to something other than 'not set'.
To change the category, use 'diag wad debug enable category ?'.
The following options are available.
diagnose wad debug show
session <- session.
packet <- packet.
dispatcher <- dispatcher.
http <- http.
cifs <- cifs.
mapi <- mapi.
socks <- socks.
ftp <- ftp.
icap <- icap.
ssl <- ssl.
webcache <- webcache.
bytecache <- byte cache
policy <- policy matching.
auth <- authentication.
scan <- UTM scan.
tunnel <- wanopt tunnel.
sys <- sys.
video <- cache video.
waf <- waf.
memblk <- memory block.
all <- all category.
To change the debug information level, use 'diag wad debug enable level ?'.
diagnose wad debug enable level ?
error <- error.
warn <- warning.
info <- information.
verbose <- verbose.
To display WAD Process ID information, use the 'diag wad debug display pid ?' command.
diagnose wad debug display pid ?
enable/disable <- Enable/disable PID display.
To start capturing data, select a category (e.g. http), then enable debugging using 'diagnose debug enable'.
diagnose wad debug enable category http
diagnose debug enable
The console output will look like the following.
wad_http_session_make(30455): make ok session=0x2a9a19d848 server=(nil) detect 10
wad_http_stream_get_line(976): http stream no line br_len = 225 i = 38 state 7
wad_http_request_reader_run(100): http reader 0x7fbffffab0 begin state=2
wad_http_request_reader_run(305): HTTP request method=4/7 version=3/8/0 uri=19/0
bypass req(0x2a9a1ab508) caller(wad_http_init_req_status)@7908
wad_http_stream_get_line(976): http stream no line br_len = 187 i = 27 state 7
wad_http_stream_get_line(976): http stream no line br_len = 160 i = 30 state 7
wad_http_stream_get_line(976): http stream no line br_len = 130 i = 130 state 9
[0x2a9a1ab508] Received request from client: 10.218.5.195:49582etc...
To stop capturing data, use 'diagnose debug disable'.
To display the WAD Process ID that is processing the data, enable the process ID display option.
diagnose wad debug display pid enable
To start capturing data, enable debugging using 'diagnose debug enable'.
The console output looks then like the following.
913-wad_http_session_make(30455): make ok session=0x2a9a19d848 server=(nil) detect 10
913-wad_http_stream_get_line(976): http stream no line br_len = 225 i = 38 state 7
913-wad_http_request_reader_run(100): http reader 0x7fbffffab0 begin state=2
913-wad_http_request_reader_run(305): HTTP request method=4/7 version=3/8/0 uri=19/0
913-bypass req(0x2a9a1ab508) caller(wad_http_init_req_status)@7908
913-wad_http_stream_get_line(976): http stream no line br_len = 187 i = 27 state 7
913-wad_http_stream_get_line(976): http stream no line br_len = 160 i = 30 state 7
913-wad_http_stream_get_line(976): http stream no line br_len = 130 i = 130 state 9
[0x2a9a1ab508] Received request from client: 10.218.5.195:49582etc...
In the data capture above, it can be seen that the WAD PID (here 913) is now displayed in front of each method call.
In large environments, wad debug can show a lot of information for a lot of different connections, making finding relevant information difficult. The debug output can be filtered with this option:
diagnose wad filter ?
list <- Display current filter.
clear <- Erase current filter settings.
src <- Source address range to filter by.
dst <- Destination address range to filter by.
sport <- Source port range to filter by.
dport <- Destination port range to filter by.
vd <- Virtual Domain Name.
explicit-policy <- Index of explicit-policy. -1 matches all.
firewall-policy <- Index of firewall-policy. -1 matches all.
drop-unknown-session <- Enable drop message unknown sessions.
negate <- Negate the specified filter parameter.
protocol <- Select protocols to filter by.
Filtering for a source IP, for example, would limit debug output to traffic/authentication etc to/from that IP.
Note:
Even in single VDOM environments, a VDOM needs to be specified for the WAD filter.
For example:
diagnose wad filter vd root
diagnose wad filter firewall-policy 1
The following error will appear if only policy is specified:
diagnose wad filter firewall-policy 1
Vdom is not set.
Command fail. Return code -160
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.