Saturday, September 19, 2020

troubleshoot Fortigate's problem - network - steps

 Step 1: Routing table check (in NAT mode)

Step 2: Verify is services are opened (if access to the FortiGate)

Step 3: Sniffer trace

Step 4: Debug flow

Step 5: Session list


1 -

Routing table:

get router info routing-table all

get router info route-map-address

get router info bgp route-map <route-map-name>

3- diagnose sniffer packet any "port 80" 4



Advanced sniffing example:


The following commands will report packets on any interface that are traveling between a computer with the host name

of “PC1” and a computer with the host name of “PC2”. With verbosity 4 and above, the sniffer trace displays the

interface names where traffic enters or leaves the FortiGate unit. To stop the sniffer, type CTRL+C.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2>" 4

or


FortiOS 6.2.3 Cookbook 1470

Fortinet Technologies Inc.



Troubleshooting


FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and icmp" 4

The following CLI command for a sniffer includes the ARP protocol in the filter which may be useful to troubleshoot a

failure in the ARP resolution. For example, PC2 may be down and not responding to the FortiGate ARP requests.

FGT# diagnose sniffer packet any "host <PC1> or host <PC2> or arp" 4


Using packet capture


To use packet capture, the FortiGate must have a disk. You can enable the capture-packetin the firewall policy.


To enable packet capture in the CLI:


config firewall policy

edit <id>

set capture-packet enable

end


To configure packet capture filters in the GUI:


Go to Network > Packet Capture.

When you add a packet capture filter, enter the following information and click OK.


Interface Select the interface to sniff from the drop-down menu.

You must select one interface. You cannot change the interface without deleting

the filter and creating a new one, unlike the other fields.

Max Packets to Save Enter the number of packets to capture before the filter stops.

This number cannot be zero. You can halt the capturing before this number is

reached.

Enable Filters Select this option to specify filter fields.

Host(s) Enter the IP address of one or more hosts.

Separate multiple hosts with commas. To enter a range, use a dash without

spaces. For example, 172.16.1.5-172.16.1.15, or enter a subnet.

Port(s) Enter one or more ports to capture on the selected interface.

Separate multiple ports with commas. To enter a range, use a dash without

spaces, for example 88-90.

VLAN(s) Enter one or more VLANs (if any). Separate multiple VLANs with commas.

Protocol Enter one or more protocols. Separate multiple protocols with commas. To enter

a range, use a dash without spaces. For example, 1-6, 17, 21-25.

Include IPv6 Packets Select this option if you are troubleshooting IPv6 networking, or if your network

uses IPv6. Otherwise, leave it disabled.

Include Non-IP Packets The protocols in the list are all IP based except for ICMP (ping).

Use this feature to capture non-IP based packets. Examples of non-IP packets

include IPsec, IGMP, ARP, and ICMP.


FortiOS 6.2.3 Cookbook 1471

Fortinet Technologies Inc.



Troubleshooting


Managing filters


If you select a filter, you have the option to start and stop packet capture in the edit window, or download the captured

packets. You can also see the filter status and the number of packets captured.

You can select the filter and start capturing packets. When the filter is running, the number of captured packets

increases until it reaches the Max Packet Count or you stop it. You cannot download the output file while the filter is

running.


Packet capture controls


To start, stop, or resume packet capture, use the symbols on the screen. These symbols are the same as those used for

audio or video playback. Hover over the symbol to reveal explanatory text. Similarly, to download the *.pcap file, use the

download symbol on the screen.


Downloading the file


You can download the *.pcap file when the packet capture is complete. You must use a third party application, such as

Wireshark, to read *,pcap files. This tool provides you with extensive analytics and the full contents of the packets that

were captured.


Debugging the packet flow


Debug the packet flow when network traffic is not entering and leaving the FortiGate as expected. Debugging the

packet flow can only be done in the CLI. Each command configures a part of the debug action. The final commands

starts the debug.


To trace the packet flow in the CLI:


diagnose debug flow trace start


To follow packet flow by setting a flow filter:


diagnose debug flow {filter | filter6} <option>

l Enter filterif your network uses IPv4.

l Enter filter6if your network uses IPv6.

Replace <option>with one of the following variables:


Variable Description

addr IPv4 or IPv6 address

clear clear filter

daddr destination IPv4 or IPv6 address

dport destination port

negate inverse IPv4 or IPv6 filter

port port


FortiOS 6.2.3 Cookbook 

No comments:

Post a Comment

Remote Hybrid and Office work