Home

Troubleshooting Options in FortiGate CLI for Traffic Flow Analysis

In addition to the GUI packet capture methods, the CLI offers the possibility to capture packets on multiple interfaces and mark these on a per-packet basis. This can be useful if there is reason to suspect a packet is leaving from the wrong interface and being subsequently dropped by FortiGate.

When troubleshooting traffic flow in a FortiGate unit using the Command Line Interface (CLI), there are several effective options available to capture packets and analyze network behavior. Below is a detailed step-by-step guide on how to utilize these options.

1. Using Packet Capture Commands

FortiGate provides built-in packet capture capabilities that allow administrators to monitor and analyze traffic passing through the device. The primary command used for this purpose is diag sniffer packet.

Step 1: Accessing the CLI

To begin, access the FortiGate CLI through SSH or console access.

Step 2: Running Packet Capture

The basic syntax for capturing packets is as follows:

diag sniffer packet '' 
  • : Specify the interface you want to capture packets on (e.g., port1, wan1).
  • : Use BPF (Berkeley Packet Filter) syntax to filter specific traffic (e.g., host 192.168.1.1).
  • : Define how many packets you want to capture (e.g., 100).

For example, to capture 100 packets from the port1 interface where the source IP is 192.168.1.10, you would use:

diag sniffer packet port1 'src host 192.168.1.10' 100

Step 3: Analyzing Output

The output will display captured packets in real-time, showing details such as timestamps, source and destination IP addresses, protocols, and more.

2. Using Debug Commands

In addition to packet captures, FortiGate offers various debug commands that can help diagnose issues related to traffic flow.

Step 1: Enabling Debugging

You can enable debugging for specific features or protocols using commands like:

diag debug enable

This command activates debugging output for all processes.

Step 2: Setting Specific Debug Levels

To focus on particular areas of interest, set specific debug levels using:

diag debug application 

For example, if you want to debug VPN-related traffic:

diag debug application ike -1

This command sets the IKE (Internet Key Exchange) application debugging level to maximum verbosity.

Step 3: Viewing Debug Output

After enabling debugging, use:

diag debug console timestamp enable

This adds timestamps to your debug output for better analysis.

3. Checking Session Information

Another useful method for troubleshooting traffic flow is checking session information with the following command:

get session list

This command provides a detailed list of active sessions traversing through the FortiGate unit, including source/destination IPs, ports, and protocol types.

4. Using Log Files

FortiGate units maintain extensive logs that can be invaluable during troubleshooting.

Step 1: Accessing Logs via CLI

You can view logs directly from the CLI by using commands such as:

get log traffic summary

This command summarizes recent traffic logs which can help identify unusual patterns or issues.

5. Utilizing Flow Trace Commands

Flow tracing allows you to follow a specific session through its lifecycle within the firewall.

Step 1: Initiating Flow Trace

Use the following command with a specific session ID obtained from previous steps:

diagnose sniffer packet any 'host ' -v -l 

Replace with the relevant IP address you wish to trace.

Conclusion

By utilizing these various commands and techniques within the FortiGate CLI—packet captures, debugging tools, session checks, log reviews, and flow tracing—you can effectively troubleshoot and analyze traffic flow issues on your network security appliance.


Authoritative Sources Used in Answering this Question:

  • Fortinet Documentation
  • Fortinet Knowledge Base
  • Network Security Best Practices Guide by Fortinet