| Description |
This article describes how to diagnose on a policy for specific traffic filtered by source ip |
| Scope | FortiGate |
| Solution |
Sometimes, the troubleshooting/debugs can generate lot of logs and not pin-pointing specific to the source address generating traffic.
It is possible to filter the source, or policy specific to the source and diagnose the issue further.
Lets assume there is a WAD debug to be run on a particular source ip/policy.
By default, the policy that the traffic goes through has whole subnet/s and debugs on that can show logs from the entire subnet.
Below are the steps to match the source-ip to a policy to analyze further for that source host.
1) Create a new policy and place it at top of the general policy. 2) Add the source host IP of the source generating the traffic to the policy. 3) In case there is a specific destination, add the destination address/fqdn to the same policy. 4) This will create an identical policy but only for the source host IP that will be generating the traffic and should be placed above the generic policy that used to match traffic from this source host.
5) Then check and isolate the issue if it is with a UTM security profile like Antivirus, Webfilter, IPS, DNS, etc, by adding one UTM feature at a time to the new policy and verifying traffic is working. 6) Once the UTM feature that is causing issues with traffic flow is identified, debug the process of it and also collect the logs of the security utm feature by going to Logs and Report -> UTM logs -> Specific UTM logs.
7) To run debugs for the particular policy as per below:
# diag wad filter firewall-policy 2
WAD debug is specific for proxy-inspection mode that is set on policy. It will reduce the output of the wad logs These will run debugs filtered to specific source host IP so logs are less. |
