IKE Log filters are still ignored by the FortiGate
unfortunately the FGTs seem to still ignore IKE Debug Log Filters. No matter if I set "diag vpn ike log-filter name ..." or "diag vpn ike log filter name ..." or "diag vpn ike filter name ..." or all four even, still if I switch on "diag application ike -1" and then "diag debug enable" I get the log outputted unfiltered even though there should be filters now. I see them if I use the corresponding option "list" to output the corresponding filter list.
This is very annoying as it makes ipsec debugging very hard once you have some more tunnels :(
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I set: diag vpn ike log filter name "name-of-phase1"
and then started diag debug app ike -1
And in the output I still see a lot of lines that contain different p1 names. I wouldn't mind lines with no name because e.g. the handshake of the proposals at the beginning of p1 doesn't have a name yet.
But I would like to be able to filter all containing either no name or the given p1 name and that at my side did not work.
Just tried again...does not work...diag debug app ike -1 seems not to care for that filter
I agree, this would be very useful to have. Open a ticket with Fortinet, so they see that people actually want this.
I did just that long time ago and TAC then told me that's a known bug...
Apparently, now it is "by design".
They should update the documentation to reflect the actual functionality or fix the filter.
I am afraid that if we, the customers, are not persistent, Fortinet will never address the things that we actually care about, but instead cram in another feature that only a minor subset of their customer base cares about.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.