Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aseques
Contributor

Cli method to show the firewall rule that blocks a site?

 

 When I'm in trouble I use all the time the diagnose mode, the issue I'm having now is that the old commands don't work:

diag debug flow filter addr 1.1.1.1
diag debug flow show console enable
diagnose debug flow trace start 100
diagnose debug enable

There's no mention of the message that appears on the browser reading that the site has ben blocked by the firewall, so it makes it very difficult to find the origin of the policy that restricted that user when there are multiple blocks and web profiles. Anyone know about a proper CLI syntax to get this information? I've been searching a lot in the forums but haven't been able to find anything.

 

Regards, 

 

Joan

9 REPLIES 9
emnoc
Esteemed Contributor III

The syntax above is correct but did you enable the debug ?

 

diag debug enable

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
aseques

Yes, it's the last of the lines I pasted, just to double check I changed the order of the commands and the result is the same, I see the rules that affect the traffic flow, but I don't see anythin related to the web filtering.

Any idea of how would it look like?

emnoc
Esteemed Contributor III

So you have a match to the fw-policy? Does it have a url filter attached? and are you expecting it to block or pass ?

 

I believe theirs a diag debug app < something for url/web flter> command but I'm not in the office at this time. You might want to search the diag debug app  options.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
gschmitt
Valued Contributor

aseques wrote:

diag debug flow filter addr 1.1.1.1

Did you do a
diag debug flow filter clear

diag debug reset

before? :D

aseques

Sure, it's clean (I'm testing with test.com domain ip=69.172.200.235)

# diagnose  debug flow filter  
       vf: any                                                                                                                               
       proto: any                                                                                                                            
       host addr: 69.172.200.235-69.172.200.235
       Host saddr: any
       Host daddr: any
       port: any
       sport: any
       dport: any

I get the attached output (anonymized) with one of the lines being probably the redirection to the error page 

vd-root received a packet(proto=6, 10.1.1.10:52311->69.172.200.235:8008)

But still it doesn't mention anything about the captive portal

 

Iescudero

Hello!

I Think that is because the antivirus, proxy, web filter or captive portal are considered by fortigate like applications, which means that works in a different layer than diagnose debug flow.

if you enable it, you can see web filter blocks in Log section.

 

Hope Helps

aseques

I have enabled the UTM logging for these rules, but both on the FAZ or the fortigate, the rule numbers aren't shown, so I can see what urls where blocked, but I can't see by which rule where they blocked (that's my main concern).

See the attached capture from fortianalyzer

ede_pfau

From the logfw.txt debug file (flow debug), there is one new session allocated which is allowed by policy 4 ("msg="Allowed by Policy-4: AV SNAT").

 

Policies are only inspected before traffic is offloaded onto the NP ASIC. If you want to see the policy ID in the debug output just make sure you kill all sessions before, or wait until timed out.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
aseques

ede_pfau wrote:

From the logfw.txt debug file (flow debug), there is one new session allocated which is allowed by policy 4 ("msg="Allowed by Policy-4: AV SNAT").

 

Policies are only inspected before traffic is offloaded onto the NP ASIC. If you want to see the policy ID in the debug output just make sure you kill all sessions before, or wait until timed out.

The message I see in the browser is telling me that my connection was blocked, but in the firewall the traffic is allowed by a policy (might be sending it to the web filter engine?)

So I don't get much info from the logs

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors