FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Description

This article describes how to run IPS engine debug in 6.4 and later firmware’s.

Scope

FortiGate v6.4.

FortiGate v7.0.

Solution

The old '# diag debug application ipsmonitor -1command is now obsolete and does not show very useful data.

 

Do not use it unless specifically requested.

 

Here is how to debug IPSengine in 6.4 or later:

 

# diag ips debug enable ?
    init              init
    packet            packet
    packet_detail     packet_detail
    ************      *****
    all               all

 

Select the appropriate categories to filter the outputs, or select 'All'

example:

 

      # diagnose ips debug enable ssl

   # diagnose ips debug enable dissector
   # diagnose debug enable

In case of production environment, run this debug only during low traffic hours, especially if 'ALL' is used, due to CPU usage impact.

 

To set the source filter on IPS for diagnosing 1 particular source ip so that the logs generated are less, run below commands:

 

# diag ips filter set 'src 192.168.2.1'

 

Verify the source as it is important step to verify it so it shows logs are filtered as per below command:

 

# diag ips filter status
DEBUG FILTER:
debug level: 0
filter: "src 192.168.2.1"
process id: 0