Debugging FortiGate Configurations

8/10/2019 Debugging FortiGate Configurations

1/4

04/12/2014 Debugging FortiGate configurations

http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_ts_debug.html

Advanced FortiGate installation and setup : Debugging FortiGate configurations

Debugging FortiGate configurations

Problem

Im having problems configuring my FortiGate unit. Ive heard of debug commands, how do I use them?

Solution

FortiGate units have built-in diagnose debugcommands that can be used to debug the operation of any FortiGate

software system by displaying debug messages on the CLI console as the system operates. When you find theproblem you can correct the configuration and run the diagnose debugcommand again to verify that the system

now operates correctly.

Before performing any debugging, you should connect to the FortiGate CLI with aterminal program that supports storing the output to a file for later reference. If you donot save the output to a file, you will miss valuable debugging information.

Keep in mind that debugging consumes system resources and may affect performance.In most cases this will not be a problem, but if your FortiGate unit is running at 100percent resource usage already, it is likely that running the debug application will causethe FortiGate unit to drop more packets or sessions, and generally increase itsoverloaded behavior. The worst is when you are sniffing packets, which can use 10percent or more of the system resources.
http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanced/cb_install-advanced.html#1322027http://docs-legacy.fortinet.com/cb/html/FOS_Cookbook/Install_advanced/cb_install-advanced.html#1322027


2/4



To use the diagnose debugcommands you must check the current debug configuration, enable debugging,

select a software system for which to display debugging information, collect and analyze the results, and stopdisplaying debugging information. In general you can follow this command sequence:

diagnose debug info

diagnose debug

diagnose debug enable

diagnose debug disable

The following debug commands are also useful:

diagnose debug resetto reset the debug configuration to a default state.

diagnose debug reportFortinet support may ask you to run this command and send them the output.

This is an exhaustive report that runs many different diagnose commands to gather alarge amount of information. It may take up to 20 minutes to run on a FortiGate unit witha complex configuration and may temporarily affect system performance.

Example diagnose debug procedure for an SSL VPN portal

This procedure describes typical steps for displaying debug information for the SSL VPN configuration described inSetting up remote web browsing for internal sites through SSL VPN . You can use similar steps to display debug

info for many other software systems.1 Verify the current debug configuration by entering the following command:

diagnose debug info

debug output: disable

console timestamp: disable

console no user log message: disable

CLI debug level: 3

This is a good command to run first, so you know what filters are in place and so on; otherwise, you may startdebugging and wonder why the output is not what you expected. This output above indicates that debug output isdisabled so debug messages are not displayed. The output also indicates that debugging has not been enabledfor any software systems.

2 Enter the following command to display debug messages for SSL VPN.diagnose debug application sslvpn -1

This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailedresults.

You can view all the debug options by entering diagnose debug ?or diagnose

debug application ?

3 Enter the following command to verify the debug configuration:

diagnose debug info

debug output: disableconsole timestamp: disable

console no user log message: disable

sslvpn debug level: -1 (0xffffffff)

CLI debug level: 3

This output verifies that SSL VPN debugging is enabled with a debug level of -1.

4 Enable displaying debug messages by entering the following command:


5 Log into the SSL VPN portal. The CLI displays debug messages similar to the following.



3/4



FGT60C3G10002814 # [282:root]SSL state:before/accept initialization

(172.20.120.12)

[282:root]SSL state:SSLv3 read client hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write server hello A (172.20.120.12)

[282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12)

[282:root]SSL state:SSLv3 write finished B (172.20.120.12)

[282:root]SSL state:SSLv3 flush data (172.20.120.12)

[282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12)

[282:root]SSL state:SSLv3 read finished A (172.20.120.12)[282:root]SSL state:SSL negotiation finished successfully (172.20.120.12)

[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256)

Mac=SHA1

Just the first few messages are shown for an SSL VPN user connecting to the portal from IP address172.20.120.12. The messages show the connection being accepted and SSL VPN negotiation taking place.

You can view and analyze the debug messages or save them to a text file using your terminal program.

6 Enter the following command to stop displaying debug messages:

diagnose debug disable

If there is a lot of output scrolling by quickly, you may not be able to see the command as you enter it.

Debugging authentication

Any time a FortiGate unit authenticates a user, the authd daemon is responsible. This is true if the user is logging inthrough SSL VPN, connecting over IPsec VPN from FortiClient, and even if certificates are involved. You can usethe following command to debug authentication:

diagnose debug application authd -1


authd_http.c:1910 authd_http_connect: called

authd_http.c:3071 authd_http_change_state: called

change state to: 3

authd_http.c:1112 authd_http_read: called

authd_http.c:2383 authd_http_wait_req: calledauthd_http.c:2443 authd_http_read_req: called

authd_http_common.c:276 authd_http_read_http_message: called

authd_http_common.c:229 authd_http_is_full_http_message: called

authd_http.c:4899 authd_http_on_method_get: called

authd_http.c:2098 authd_http_check_auth_action: called

authd_http.c:3071 authd_http_change_state: called

change state to: 2

The output shows the messages the authentication daemon is receiving and the resulting state changes. Thisauthentication session was between a FortiGate unit and FortiClient during an IPsec VPN session setup.

Debugging IPsec VPN

You can use the diag debug application ike -1command to display all the VPN related traffic, especially

for initial negotiations. By doing this, it will give you the information to find and fix errors that you would only beguessing at, otherwise.

Debugging URL filtering

Have you tried to set up URL filters only to have the URLs still come through? The diag debug information can helpyou determine what is going on under the hood, such as Blocking all web sites except those you specify using awhitelist .

For example, if one user at 172.20.120.18 is complaining the URL filter is not working for them you can enter thecommand:

#diag debug disable


4/4



#diag debug application urlfilter -1

#diag debug enable

This is very useful if you want to test some new URL filter patterns. The following sample output from this set ofcommands for a group of URLs that you have included in the UTM Web Filtering Advanced Filtering list, such as*.ro, would appear as:

msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38:

d=www.example.ro:80, id=22, vfid=0, type=0, client=10.10.80.110, url=/favicon.ico"

Checking urlfilter list 4

Url filter deny action

This output shows one attempt to browse to http://www.example.ro,which is a match to the blocked *.ro

sites. From this output, we can see the URL, who was going there (the client IP address of 10.10.80.110), and theaction - URL filter deny action. It is good to note that the ID number will increment by one for each messagematched like this. From this information, we now know the *.ro URL filter is working properly for a client on the10.10.80.0 subnet.

Debugging packet flow

You can use the diag debug flowcommand to show packet flow through the FortiGate unit. As packets are

received, you can view debug messages to show how the FortiGate unit processes them. For more information, seeVerifying that traffic is accepted by a security policy .

Documents

Debugging FortiGate Configurations