|
The old 'diagnose debug application ipsmonitor -1' command is obsolete (used for the versions prior to 6.4) and does not show useful data.
Do not use it unless specifically requested.
Run the following command instead to debug IPSengine in FortiOS v6.4 or above:
diagnose ips debug enable ?
init init
packet packet
packet_detail packet_detail
error error
warn warn
parse parse
detect detect
session session
log log
timeout timeout
dissector dissector
tcp tcp
http http
mail mail
rpc rpc
dns dns
im im
p2p p2p
ssh ssh
ssl ssl
voip voip
smb smb
content content
urlfilter urlfilter
av av
mime mime
content_detail content_detail
ipsa ipsa
proxy proxy
packet_dump packet_dump
state state
dac dac
sctp sctp
quic quic
all all
Select the appropriate categories to filter the outputs, or select 'All'
example:
diagnose ips debug enable ssl
diagnose ips debug enable dissector
diagnose debug console timestamp enable
diagnose debug enable
To verify which debug parameters are enabled, run the command below:
diagnose ips debug status show
If all parameters are enabled, the output will be shown as below (depending on how many IPS Engine counters are running on the device, 8 of the IPS engines are running on the device in the example).
IPS Engine <00333> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00497> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00498> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00499> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00500> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00501> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00502> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00503> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
If only one parameter is enabled, the output will be shown as below:
diagnose ips debug enable ssl
diagnose ips debug status show
IPS Engine <00333> Enabled debug actions: ssl
IPS Engine <00497> Enabled debug actions: ssl
IPS Engine <00498> Enabled debug actions: ssl
IPS Engine <00499> Enabled debug actions: ssl
IPS Engine <00500> Enabled debug actions: ssl
IPS Engine <00501> Enabled debug actions: ssl
IPS Engine <00502> Enabled debug actions: ssl
IPS Engine <00503> Enabled debug actions: ssl
In the case of the production environment, run this debug only during low traffic hours, especially if 'ALL' is used, due to CPU usage impact.
IPS Engine debug commands might generate too many logs depending on the inspected session counters. It is highly recommended to enable the debug commands with filters.
To filter the traffic, use the command below:
diagnose ips filter set
bpf filter bpf filter
This filter is a Berkeley filter which allows to use of many parameters such as source, destination, and TCP/UDP ports.
Example 1:
Filter the traffic from source IP 1.1.1.1 and TCP port 443:
diagnose ips filter set 'src 1.1.1.1 and tcp port 443'
Verify the filter with the following command:
diagnose ips filter status
DEBUG FILTER:
debug level: 17179868671
filter: "host 1.1.1.1 and tcp port 443"
process id: 0
Example 2:
To filter the traffic from source IP 192.168.10.10 and destination IP 8.8.8.8 and port UDP 5060.
diagnose ips filter set 'src 192.168.10.10 and dst 8.8.8.8 and udp port 5060'
Verify the filter with the command below:
diagnose ips filter status
DEBUG FILTER:
debug level: 17179868671
filter: "src 192.168.10.10 and dst 8.8.8.8 and udp port 5060"
process id: 0
Example 3:
To capture the IP debug log for the two-way communication between the source IP and the destination IP, use the following filter:
diagnose ips filter set 'host 192.168.10.10 and host 8.8.8.8'
Verify the filter with the following command:
diagnose ips filter status
DEBUG FILTER:
debug level: 17179868671
filter: "host 192.168.10.10 and host 8.8.8.8"
process id: 0
To capture IPS debug using a virtual IP as the destination, use the mapped IP/ports as a filter instead of the external IP/ports, or else there will be no output.
To stop debugging:
diagnose debug disable
diagnose ips debug disable all
diagnose ips filter clear
Note: For IPS related issue, the IPS Engine version with the command:
diagnose autoupdate versions | grep -A6 "IPS Attack Engine"
Related article:
Troubleshooting Tip: Collecting IPS engine related debugs
|
