Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

IKE Log filters are still ignored by the FortiGate

Hiho,

 

unfortunately the FGTs seem to still ignore IKE Debug Log Filters. No matter if I set "diag vpn ike log-filter name ..." or "diag vpn ike log filter name ..." or "diag vpn ike filter name ..." or all four even, still if I switch on "diag application ike -1" and then "diag debug enable" I get the log outputted unfiltered even though there should be filters now. I see them if I use the corresponding option "list" to output the corresponding filter list.

This is very annoying as it makes ipsec debugging very hard once you have some more tunnels :(

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
13 REPLIES 13
lubyou
New Contributor

sw2090 wrote:

the last time i used it it did not really work :(

 

I set: diag vpn ike log filter name "name-of-phase1"

and then started diag debug app ike -1

 

And in the output I still see a lot of lines that contain different p1 names. I wouldn't mind lines with no name because e.g. the handshake of the proposals at the beginning of p1 doesn't have a name yet.

But I would like to be able to filter all containing either no name or the given p1 name and that at my side did not work.

Just tried again...does not work...diag debug app ike -1 seems not to care for that filter

 

I agree, this would be very useful to have. Open a ticket with Fortinet, so they see that people actually want this.

sw2090
Honored Contributor

I did just that long time ago and TAC then told me that's a known bug...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
lubyou
New Contributor

sw2090 wrote:

I did just that long time ago and TAC then told me that's a known bug...

Apparently, now it is "by design".

They should update the documentation to reflect the actual functionality or fix the filter.

I am afraid that if we, the customers, are not persistent, Fortinet will never address the things that we actually care about, but instead cram in another feature that only a minor subset of their customer base cares about.

 

citromkolbasz

would be nice to be fixed in 2021.

Labels
Top Kudoed Authors