FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 208018
Description

This article describes how to run IPS engine debug in v6.4 and later.

Scope

FortiGate v6.4, v7.0.

Solution

The old 'diag debug application ipsmonitor -1'  command is now obsolete and does not show very useful data.

 

Do not use it unless specifically requested.

 

Here is how to debug IPSengine in 6.4 or later:

 

diag ips debug enable ?
init init
packet packet
packet_detail packet_detail
error error
warn warn
parse parse
detect detect
session session
log log
timeout timeout
dissector dissector
tcp tcp
http http
mail mail
rpc rpc
dns dns
im im
p2p p2p
ssh ssh
ssl ssl
voip voip
smb smb
content content
urlfilter urlfilter
av av
mime mime
content_detail content_detail
ipsa ipsa
proxy proxy
packet_dump packet_dump
state state
dac dac
sctp sctp
quic quic
all all

 

Select the appropriate categories to filter the outputs, or select 'All'

example:

 

diagnose ips debug enable ssl

diagnose ips debug enable dissector

diagnose debug enable

 

To verify which debug parameters are enabled run the command below ;

 

diagnose ips debug status show


If all parameters are enabled, output will be shown like below (depending on how many IPS Engine counters running on the device. 8 of IPS engines are running on the device in the example)

IPS Engine <00333> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00497> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00498> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00499> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00500> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00501> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00502> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
IPS Engine <00503> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic

 

If only one parameter is enabled, the output will be shown like below ;

 

diagnose ips debug enable ssl

diagnose ips debug status show


IPS Engine <00333> Enabled debug actions: ssl
IPS Engine <00497> Enabled debug actions: ssl
IPS Engine <00498> Enabled debug actions: ssl
IPS Engine <00499> Enabled debug actions: ssl
IPS Engine <00500> Enabled debug actions: ssl
IPS Engine <00501> Enabled debug actions: ssl
IPS Engine <00502> Enabled debug actions: ssl
IPS Engine <00503> Enabled debug actions: ssl

 

In the case of the production environment, run this debug only during low traffic hours, especially if 'ALL' is used, due to CPU usage impact.


IPS Engine debug commands might generate too many logs depending on the inspected session counters. It is highly recommended to enable the debug commands with filters.

 

To filter the traffic use the command below ;

 

diagnose ips filter set
bpf filter bpf filter

 

This filter is a berkeley filter which allows to use of many parameters such as source, destination ,and TCP/UDP ports.

 

Example 1:

 

To filter the traffic from source IP 1.1.1.1 and TCP port 443 ;

 

diagnose ips filter set 'src 1.1.1.1 and tcp port 443'

 

Verify the filter with the command below ;

 

diagnose ips filter status

DEBUG FILTER:
debug level: 17179868671
filter: "host 1.1.1.1 and tcp port 443"
process id: 0

 

Example 2:

To filter the traffic from source IP 192.168.10.10 and destination IP 8.8.8.8 and port UDP 5060

 

diagnose ips filter set 'src 192.168.10.10 and dst 8.8.8.8 and udp port 5060'

 

Verify the filter with the command below:

 

diagnose ips filter status
DEBUG FILTER:
debug level: 17179868671
filter: "src 192.168.10.10 and dst 8.8.8.8 and udp port 5060"
process id: 0

 

Related article:

Troubleshooting Tips: Collecting IPS engine related debugs