When I'm in trouble I use all the time the diagnose mode, the issue I'm having now is that the old commands don't work:
diag debug flow filter addr 1.1.1.1
diag debug flow show console enable
diagnose debug flow trace start 100
diagnose debug enable
There's no mention of the message that appears on the browser reading that the site has ben blocked by the firewall, so it makes it very difficult to find the origin of the policy that restricted that user when there are multiple blocks and web profiles. Anyone know about a proper CLI syntax to get this information? I've been searching a lot in the forums but haven't been able to find anything.
Regards,
Joan
The syntax above is correct but did you enable the debug ?
diag debug enable
PCNSE
NSE
StrongSwan
Yes, it's the last of the lines I pasted, just to double check I changed the order of the commands and the result is the same, I see the rules that affect the traffic flow, but I don't see anythin related to the web filtering.
Any idea of how would it look like?
So you have a match to the fw-policy? Does it have a url filter attached? and are you expecting it to block or pass ?
I believe theirs a diag debug app < something for url/web flter> command but I'm not in the office at this time. You might want to search the diag debug app options.
Ken
PCNSE
NSE
StrongSwan
aseques wrote:Did you do adiag debug flow filter addr 1.1.1.1
diag debug flow filter clearbefore? :Ddiag debug reset
Sure, it's clean (I'm testing with test.com domain ip=69.172.200.235)
# diagnose debug flow filter
vf: any
proto: any
host addr: 69.172.200.235-69.172.200.235
Host saddr: any
Host daddr: any
port: any
sport: any
dport: any
I get the attached output (anonymized) with one of the lines being probably the redirection to the error page
vd-root received a packet(proto=6, 10.1.1.10:52311->69.172.200.235:8008)
But still it doesn't mention anything about the captive portal
Hello!
I Think that is because the antivirus, proxy, web filter or captive portal are considered by fortigate like applications, which means that works in a different layer than diagnose debug flow.
if you enable it, you can see web filter blocks in Log section.
Hope Helps
From the logfw.txt debug file (flow debug), there is one new session allocated which is allowed by policy 4 ("msg="Allowed by Policy-4: AV SNAT").
Policies are only inspected before traffic is offloaded onto the NP ASIC. If you want to see the policy ID in the debug output just make sure you kill all sessions before, or wait until timed out.
ede_pfau wrote:The message I see in the browser is telling me that my connection was blocked, but in the firewall the traffic is allowed by a policy (might be sending it to the web filter engine?)From the logfw.txt debug file (flow debug), there is one new session allocated which is allowed by policy 4 ("msg="Allowed by Policy-4: AV SNAT").
Policies are only inspected before traffic is offloaded onto the NP ASIC. If you want to see the policy ID in the debug output just make sure you kill all sessions before, or wait until timed out.
So I don't get much info from the logs
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.