Hot!diagnosis

Author
suthomas1
Silver Member
  • Total Posts : 76
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/05/07 06:08:23
  • Status: offline
2020/08/06 02:24:22 (permalink)
0

diagnosis

Good day all,
 
We are seeing an issue where the user traffic is not being successful & it is through a fortigate firewall.
To diagnose further, i used diagnosis debug flow cli options to check but with repeated attempts this does not show anything.
I then tried with diagnos sniff packet and then i was able to see the syn packets for this traffic on the firewall.
 
But the problem is because the debug flow is not showing details, i am not able to check if its a rule issue or something else on the firewall.
Is there a difference between debug flow & debug sniff commands. how can i check the problem further on this fortigate 500e with 6.1.
 
Please help.
#1

6 Replies Related Threads

    localhost
    Gold Member
    • Total Posts : 135
    • Scores: 25
    • Reward points: 0
    • Joined: 2015/05/21 02:47:51
    • Location: Zug, Switzerland
    • Status: offline
    Re: diagnosis 2020/08/06 02:30:47 (permalink)
    5 (1)
    If the SYN packet comes in on one interface but not going out on any other interface, you are most likely missing a firewall policy.
     
    Is your diagnose debug flow syntax correct?
     
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD33882
    #2
    suthomas1
    Silver Member
    • Total Posts : 76
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/05/07 06:08:23
    • Status: offline
    Re: diagnosis 2020/08/06 05:58:54 (permalink)
    0
    Yes the syntax is correct, i wrote it again from the site.
    suprising that diagnos sniffer shows some packets but not the full flow filter command.
     
    Any other way to troubleshoot this issue further?
    #3
    localhost
    Gold Member
    • Total Posts : 135
    • Scores: 25
    • Reward points: 0
    • Joined: 2015/05/21 02:47:51
    • Location: Zug, Switzerland
    • Status: offline
    Re: diagnosis 2020/08/06 06:06:35 (permalink)
    0
    The debug flow command does not show anything at all?
     
    Even if you do something like this:
     
    diagnose debug reset
    diagnose debug flow filter clear
    diagnose debug flow filter proto 1
    diagnose debug flow trace start 100
    diagnose debug enable

     
    If this gives you some output, your filter settings are probably wrong.
     
    Are you using vdom's and are you in the right vdom while running the debug commands?
    #4
    suthomas1
    Silver Member
    • Total Posts : 76
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/05/07 06:08:23
    • Status: offline
    Re: diagnosis 2020/08/06 06:18:26 (permalink)
    0
    Yes its the right vdom and the settings are correct.
    The same filter shows output when i change the address to some other traffic.
    #5
    localhost
    Gold Member
    • Total Posts : 135
    • Scores: 25
    • Reward points: 0
    • Joined: 2015/05/21 02:47:51
    • Location: Zug, Switzerland
    • Status: offline
    Re: diagnosis 2020/08/07 06:07:12 (permalink)
    0
    If diagnose debug flow is generally working I would try different filters. (set only saddr, daddr, ports, etc)
     
    You could also try to temporarily enable logging of the implicit deny policy.
    https://www.cascadedefense.com/log-your-denied-traffic-a-simple-step-for-added-network-visibility/
    And check the logs.
     
    Without seeing more detailed CLI output, I cannot tell you why 'diagnose debug flow' in your case is not showing any output.
    #6
    poundy
    Silver Member
    • Total Posts : 61
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/06/13 20:58:45
    • Status: offline
    Re: diagnosis 2020/08/12 15:29:58 (permalink)
    0
    Agree with Localhost - show us your CLI statements you're actually using, and (a sample of) what it produces. You're asking us to help debug, but we have nowhere near enough info compared to if we were at the keyboard ourselves
    #7
    Jump to:
    © 2020 APG vNext Commercial Version 5.5