Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
suthomas1
New Contributor

diagnosis

Good day all,

 

We are seeing an issue where the user traffic is not being successful & it is through a fortigate firewall.

To diagnose further, i used diagnosis debug flow cli options to check but with repeated attempts this does not show anything.

I then tried with diagnos sniff packet and then i was able to see the syn packets for this traffic on the firewall.

 

But the problem is because the debug flow is not showing details, i am not able to check if its a rule issue or something else on the firewall.

Is there a difference between debug flow & debug sniff commands. how can i check the problem further on this fortigate 500e with 6.1.

 

Please help.

Suthomas
Suthomas
6 REPLIES 6
localhost
Contributor III

If the SYN packet comes in on one interface but not going out on any other interface, you are most likely missing a firewall policy.

 

Is your diagnose debug flow syntax correct?

 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD33882

suthomas1

Yes the syntax is correct, i wrote it again from the site.

suprising that diagnos sniffer shows some packets but not the full flow filter command.

 

Any other way to troubleshoot this issue further?

Suthomas
Suthomas
localhost

The debug flow command does not show anything at all?

 

Even if you do something like this:

 

diagnose debug reset

diagnose debug flow filter clear

diagnose debug flow filter proto 1

diagnose debug flow trace start 100
diagnose debug enable

 

If this gives you some output, your filter settings are probably wrong.

 

Are you using vdom's and are you in the right vdom while running the debug commands?

suthomas1

Yes its the right vdom and the settings are correct.

The same filter shows output when i change the address to some other traffic.

Suthomas
Suthomas
localhost

If diagnose debug flow is generally working I would try different filters. (set only saddr, daddr, ports, etc)

 

You could also try to temporarily enable logging of the implicit deny policy.

https://www.cascadedefense.com/log-your-denied-traffic-a-simple-step-for-added-network-visibility/

And check the logs.

 

Without seeing more detailed CLI output, I cannot tell you why 'diagnose debug flow' in your case is not showing any output.

poundy

Agree with Localhost - show us your CLI statements you're actually using, and (a sample of) what it produces. You're asking us to help debug, but we have nowhere near enough info compared to if we were at the keyboard ourselves

Labels
Top Kudoed Authors