- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Unable to see policy deny message when running deb...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to see policy deny message when running debug flow check, fortiOS 7.0
Hey Guys,
I have been testing this debug command for a while.
I have setup a firewall security policy to deny "gmail" traffic from inside to outside (all services deny), I have tested via cmd (tired to ping the gmail FQDN or ip address, confirmed it got blocked)
The issue I have is I couldn't see any denied message from debug flow logs, the command I run is in below:
diagnose debug flow filter addr 142.250.70.197
diagnose debug flow filter proto 1
diagnose debug flow show function-name enabled
diagnose debug flow show ipprobe enabled
diagnose debug flow trace start 100
diagnose debug flow enabled
This is output from those commands.
abc-101f-fw01 # id=20085 trace_id=622 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=1, 192.168.253.69:1->142.250.70.197:2048) from vlan_si. type=8, code=0, id=1, seq=98." id=20085 trace_id=622 func=init_ip_session_common line=5894 msg="allocate a new session-02b91e97" id=20085 trace_id=622 func=iprope_dnat_check line=5061 msg="in-[vlan_si], out-[]" id=20085 trace_id=622 func=iprope_dnat_tree_check line=830 msg="len=0" id=20085 trace_id=622 func=iprope_dnat_check line=5074 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=622 func=vf_ip_route_input_common line=2621 msg="find a route: flag=04000000 gw-27.33.116.97 via wan1" id=20085 trace_id=622 func=iprope_fwd_check line=781 msg="in-[vlan_si], out-[wan1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0" id=20085 trace_id=622 func=__iprope_tree6_check line=51 msg="gnum-100004, use addr/intf hash, len=3" id=20085 trace_id=622 func=__iprope_check_one_policy line=1941 msg="checked gnum-100004 policy-6, ret-matched, act-accept" id=20085 trace_id=622 func=__iprope_user_identity_check line=1761 msg="ret-matched" id=20085 trace_id=622 func=get_new_addr line=1176 msg="find SNAT: IP-27.33.116.98(from IPPOOL), port-60417" id=20085 trace_id=622 func=__iprope_check_one_policy line=2159 msg="policy-6 is matched, act-accept" id=20085 trace_id=622 func=iprope_fwd_auth_check line=832 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-6" id=20085 trace_id=622 func=iprope_shaping_check line=921 msg="in-[vlan_si], out-[wan1], skb_flags-02000000, vid-0" id=20085 trace_id=622 func=__iprope_check line=2188 msg="15, chegnum-1000ck-ffffffbffc0294c8" id=20085 trace_id=622 func=__iprope_check_one_policy line=1941 msg="checked gnum-100015 policy-1, ret-no-match, act-accept" id=20085 trace_id=622 func=__iprope_check line=2207 msg="gnum-100015 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=622 func=iprope_policy_group_check line=4500 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=622 func=iprope_reverse_dnat_check line=1252 msg="in-[vlan_si], out-[wan1], skb_flags-02000000, vid-0" id=20085 trace_id=622 func=iprope_reverse_dnat_tree_check line=923 msg="len=0" id=20085 trace_id=622 func=iprope_central_nat_check line=1275 msg="in-[vlan_si], out-[wan1], skb_flags-02000000, vid-0" id=20085 trace_id=622 func=__iprope_check_one_policy line=1941 msg="checked gnum-10000d policy-1, ret-matched, act-accept" id=20085 trace_id=622 func=get_new_addr line=1176 msg="find DNAT: IP-27.33.116.98, port-60417" id=20085 trace_id=622 func=__iprope_check_one_policy line=2159 msg="policy-1 is matched, act-accept" id=20085 trace_id=622 func=fw_forward_handler line=819 msg="Allowed by Policy-6: SNAT" id=20085 trace_id=622 func=ids_receive line=298 msg="send to ips" id=20085 trace_id=623 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=1, 192.168.253.69:1->142.250.70.197:2048) from vlan_si. type=8, code=0, id=1, seq=99." id=20085 trace_id=623 func=resolve_ip_tuple_fast line=5804 msg="Find an existing session, id-02b91e97, original direction" id=20085 trace_id=623 func=npu_handle_session44 line=1163 msg="Trying to offloading session from vlan_si to wan1, skb.npu_flag=00000000 ses.state=00013204 ses.npu_state=0x00001008" id=20085 trace_id=623 func=fw_forward_dirty_handler line=396 msg="state=00013204, state2=00000000, npu_state=00001008" id=20085 trace_id=624 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=1, 192.168.253.69:1->142.250.70.197:2048) from vlan_si. type=8, code=0, id=1, seq=100." id=20085 trace_id=624 func=resolve_ip_tuple_fast line=5804 msg="Find an existing session, id-02b91e97, original direction" id=20085 trace_id=624 func=npu_handle_session44 line=1163 msg="Trying to offloading session from vlan_si to wan1, skb.npu_flag=00000000 ses.state=00013204 ses.npu_state=0x00001008" id=20085 trace_id=624 func=fw_forward_dirty_handler line=396 msg="state=00013204, state2=00000000, npu_state=00001008" id=20085 trace_id=625 func=print_pkt_detail line=5723 msg="vd-root:0 received a packet(proto=1, 192.168.253.69:1->142.250.70.197:2048) from vlan_si. type=8, code=0, id=1, seq=101." id=20085 trace_id=625 func=resolve_ip_tuple_fast line=5804 msg="Find an existing session, id-02b91e97, original direction" id=20085 trace_id=625 func=npu_handle_session44 line=1163 msg="Trying to offloading session from vlan_si to wan1, skb.npu_flag=00000000 ses.state=00013204 ses.npu_state=0x00001008" id=20085 trace_id=625 func=fw_forward_dirty_handler line=396 msg="state=00013204, state2=00000000, npu_state=00001008"
I just couldn't see any message re firewall policy deny, so it is really hard for me to troubleshoot traffics flow in production environment.
Any help will be greatly appreciated.
Thanks,
Bill
- « Previous
-
- 1
- 2
- Next »
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bhuo wrote:Hey LiuKangming,
Thanks for reply, please see output below,
filters=[host 142.250.70.197] 3.716728 vlan_si in 192.168.253.69 -> 142.250.70.197: icmp: echo request 8.409288 vlan_si in 192.168.253.69 -> 142.250.70.197: icmp: echo request 13.403180 vlan_si in 192.168.253.69 -> 142.250.70.197: icmp: echo request 18.413922 vlan_si in 192.168.253.69 -> 142.250.70.197: icmp: echo request
Hi bhuo,
Maybe the NGFW mode you are running, this NGFW mode will perform APP/IPS detection by default, so the last result you see is "sent to ips" for processing. At this time, we can only observe the violation log to determine the packet loss. In my LAB environment, the situation is the same as yours.
id=20085 trace_id=622 func=fw_forward_handler line=819 msg="Allowed by Policy-6: SNAT" id=20085 trace_id=622 func=ids_receive line=298 msg="send to ips"
Thank you.
Thanks
Kangming
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Setting Up NAT64 to handle 64:ff9b::... 67 Views
- When connecting VPN from FortiClient getting... 178 Views
- SSLVPN login fails before 7AM EDT 139 Views
- FortiGate VM on XCP-NG 117 Views
- Firewall SSO for VPN with connection... 326 Views
Labels
-
FortiGate
6,533 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.