Can "diagnose debug application" Be Filtered

RRatBB · ‎02-06-2025

I am trying to debug some ssl-vpn connection stuff. If I run "diag debug application sslvpn -1" it generates a lot of debug lines. Downloading the output and filtering through it to find what I need is not fun.

Is there a way to filter this by the source IP of the remote VPN client? Or by some sort of VPN session ID? Or something so that I can focus on troubleshooting a single user without having to wade through all the other connection data?

Dhruvin_patel · ‎02-06-2025

Greetings!

Yes there is a way to filter with public IP source address.

diagnose vpn ssl debug-filter src-addr4 x.x.x.x -------> public IP of the endpoint
diagnose debug application sslvpn -1
diagnose debug enable

If you wish to clear the filter, use this command, diagnose vpn ssl debug-filter clear

ref: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542

Regards!

Dhruvin Patel

View solution in original post

AEK · ‎02-06-2025

Yes you can with this command.

diagnose vpn ssl debug-filter ...

Full info here:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-SSL-VPN-Troubleshooting/ta-p/189542

Hope it helps.

AEK