Tools: Flow Trace in Fortigate

The flow trace feature in the FortiGate units allows you to trace to flow of a packet through the firewall you are consoled to. It allows you to see if the packet is being denied for some reason or being allowed by a particular policy. You can also see what NAT rule and routing is applied.

Command Syntax

  1. Restart any existing debug sessions.
    1. diag debug disable
  2. Add relevant filters (add as many as you like)
    1. diag debug flow filter (option) (variable)
      Options include:

      1. clear – Clear Filter
      2. vd – Index of virtual domain.
      3. proto – Protocol number. (https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers)
      4. addr – IP address (can either be source or destination)
      5. saddr – Source IP address.
      6. daddr – Destination IP address.
      7. port – port number (can either be source or destination) (https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)
      8. sport – Source port.
      9. dport – Destination port.
      10. negate – Inverse filter.
  3. Show output of flow trace on the console session:
    1. diag debug flow show console enable
  4. Show function name in output
    1. diag debug flow show function-name enable
  5. Set number of traces to display before stopping:
    1. diag debug flow trace start 10
  6. Enable diag debug
    1. diag debug enable

Restart trace

Just enter the “diag debug flow trace start 10″ again to start capturing, you can change the number if you want to capture more packets

Stop trace

Type “diag debug flow trace stop” to stop capturing traces. Handy tip is to type this prior to starting trace so you can just press the up key and enter to stop the trace, rather than typing it while traces are output to the console.

Show current filter settings

Type “diag debug flow filter” to see what filters are currently set. These can be cleared by typing “diag debug flow filter clear”

Copy and Paste Command

Copy the following to a text file and edit as required as an easy way to dump the command on the FortiGate device.

diag debug disable
diag debug flow filter port 3389
diag debug flow filter daddr 103.254.231.30
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow trace start 10
diag debug enable

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s