Step 1: Routing table check (in NAT mode)
Step 2: Verify is services are opened (if access to the FortiGate)
Step 3: Sniffer trace
Step 4: Debug flow
Step 5: Session list
1 -
Routing table:
get router info routing-table all
get router info route-map-address
get router info bgp route-map <route-map-name>
3- diagnose sniffer packet any "port 80" 4
Advanced sniffing example:
The following commands will report packets on any interface that are traveling between a computer with the host name
of “PC1” and a computer with the host name of “PC2”. With verbosity 4 and above, the sniffer trace displays the
interface names where traffic enters or leaves the FortiGate unit. To stop the sniffer, type CTRL+C.
FGT# diagnose sniffer packet any "host <PC1> or host <PC2>" 4
or
FortiOS 6.2.3 Cookbook 1470
Fortinet Technologies Inc.
Troubleshooting
FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and icmp" 4
The following CLI command for a sniffer includes the ARP protocol in the filter which may be useful to troubleshoot a
failure in the ARP resolution. For example, PC2 may be down and not responding to the FortiGate ARP requests.
FGT# diagnose sniffer packet any "host <PC1> or host <PC2> or arp" 4
Using packet capture
To use packet capture, the FortiGate must have a disk. You can enable the capture-packetin the firewall policy.
To enable packet capture in the CLI:
config firewall policy
edit <id>
set capture-packet enable
end
To configure packet capture filters in the GUI:
Go to Network > Packet Capture.
When you add a packet capture filter, enter the following information and click OK.
Interface Select the interface to sniff from the drop-down menu.
You must select one interface. You cannot change the interface without deleting
the filter and creating a new one, unlike the other fields.
Max Packets to Save Enter the number of packets to capture before the filter stops.
This number cannot be zero. You can halt the capturing before this number is
reached.
Enable Filters Select this option to specify filter fields.
Host(s) Enter the IP address of one or more hosts.
Separate multiple hosts with commas. To enter a range, use a dash without
spaces. For example, 172.16.1.5-172.16.1.15, or enter a subnet.
Port(s) Enter one or more ports to capture on the selected interface.
Separate multiple ports with commas. To enter a range, use a dash without
spaces, for example 88-90.
VLAN(s) Enter one or more VLANs (if any). Separate multiple VLANs with commas.
Protocol Enter one or more protocols. Separate multiple protocols with commas. To enter
a range, use a dash without spaces. For example, 1-6, 17, 21-25.
Include IPv6 Packets Select this option if you are troubleshooting IPv6 networking, or if your network
uses IPv6. Otherwise, leave it disabled.
Include Non-IP Packets The protocols in the list are all IP based except for ICMP (ping).
Use this feature to capture non-IP based packets. Examples of non-IP packets
include IPsec, IGMP, ARP, and ICMP.
FortiOS 6.2.3 Cookbook 1471
Fortinet Technologies Inc.
Troubleshooting
Managing filters
If you select a filter, you have the option to start and stop packet capture in the edit window, or download the captured
packets. You can also see the filter status and the number of packets captured.
You can select the filter and start capturing packets. When the filter is running, the number of captured packets
increases until it reaches the Max Packet Count or you stop it. You cannot download the output file while the filter is
running.
Packet capture controls
To start, stop, or resume packet capture, use the symbols on the screen. These symbols are the same as those used for
audio or video playback. Hover over the symbol to reveal explanatory text. Similarly, to download the *.pcap file, use the
download symbol on the screen.
Downloading the file
You can download the *.pcap file when the packet capture is complete. You must use a third party application, such as
Wireshark, to read *,pcap files. This tool provides you with extensive analytics and the full contents of the packets that
were captured.
Debugging the packet flow
Debug the packet flow when network traffic is not entering and leaving the FortiGate as expected. Debugging the
packet flow can only be done in the CLI. Each command configures a part of the debug action. The final commands
starts the debug.
To trace the packet flow in the CLI:
diagnose debug flow trace start
To follow packet flow by setting a flow filter:
diagnose debug flow {filter | filter6} <option>
l Enter filterif your network uses IPv4.
l Enter filter6if your network uses IPv6.
Replace <option>with one of the following variables:
Variable Description
addr IPv4 or IPv6 address
clear clear filter
daddr destination IPv4 or IPv6 address
dport destination port
negate inverse IPv4 or IPv6 filter
port port
FortiOS 6.2.3 Cookbook
No comments:
Post a Comment