Fortinet black logo

Cookbook

Debugging the packet flow

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:54688
Download PDF

Debugging the packet flow

Debug the packet flow when network traffic is not entering and leaving the FortiGate as expected. Debugging the packet flow can only be done in the CLI. Each command configures a part of the debug action. The final commands starts the debug.

To trace the packet flow in the CLI:

diagnose debug flow trace start

To follow packet flow by setting a flow filter:

diagnose debug flow {filter | filter6} <option>

  • Enter filter if your network uses IPv4.

  • Enter filter6 if your network uses IPv6.

Replace <option> with one of the following variables:

Variable

Description

addr

IPv4 or IPv6 address

clear

clear filter

daddr

destination IPv4 or IPv6 address

dport

destination port

negate

inverse IPv4 or IPv6 filter

port

port

proto

protocol number

saddr

source address

sport

source port

vd

index of virtual domain; -1 matches all

Caution

If FortiGate is connected to FortiAnalyzer or FortiCloud, the diagnose debug flow output will be recorded as event log messages and then sent to the devices. Do not run this command longer than necessary, as it generates a significant amount of data.

Caution

FortiASIC NP4 or NP6 interface pairs that offload traffic will change the packet flow. Before debugging any NP4 or NP6 interfaces, disable offloading on those interfaces.

To do this, enter diagnose npu <interface pair> fastpath disable, where interface pair is np4, np6, np4lite, or np6lite.

To start flow monitoring with a specific number of packets:

diagnose debug flow trace start <N>

To stop flow tracing at any time:

diagnose debug flow trace stop

The following example shows the flow trace for a device with an IP address of 203.160.224.97:

diagnose debug enable

diagnose debug flow filter addr 203.160.224.97

diagnose debug flow show function-name enable

diagnose debug flow trace start 100

Sample output: HTTP

To observe the debug flow trace, connect to the website at the following address:

https://www.fortinet.com

Comment: SYN packet received:

id=20085 trace_id=209 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

SYN sent and a new session is allocated:

id=20085 trace_id=209 func=resolve_ip_tuple line=2799

msg="allocate a new session-00000e90"

Lookup for next-hop gateway address:

id=20085 trace_id=209 func=vf_ip4_route_input line=1543

msg="find a route: gw-192.168.11.254 via port6"

Source NAT, lookup next available port:

id=20085 trace_id=209 func=get_new_addr line=1219

msg="find SNAT: IP-192.168.11.59, port-31925"

direction“

Matched security policy. Check to see which policy this session matches:

id=20085 trace_id=209 func=fw_forward_handler line=317

msg="Allowed by Policy-3: SNAT"

Apply source NAT:

id=20085 trace_id=209 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

SYN ACK received:

id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2700

msg="vd-root received a packet(proto=6, 203.160.224.97:80-

>192.168.11.59:31925) from port6."

Found existing session ID. Identified as the reply direction:

id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2727

msg="Find an existing session, id-00000e90, reply direction"

Apply destination NAT to inverse source NAT action:

id=20085 trace_id=210 func=__ip_session_run_tuple

line=1516 msg="DNAT 192.168.11.59:31925-

>192.168.3.221:1487"

Lookup for next-hop gateway address for reply traffic:

id=20085 trace_id=210 func=vf_ip4_route_input line=1543

msg="find a route: gw-192.168.3.221 via port5"

ACK received:

id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2700

msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:

id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2727

msg="Find an existing session, id-00000e90, original

direction"

Apply source NAT:

id=20085 trace_id=211 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from client:

id=20085 trace_id=212 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:

id=20085 trace_id=212 func=resolve_ip_tuple_fast

line=2727 msg="Find an existing session, id-00000e90,

original direction"

Apply source NAT:

id=20085 trace_id=212 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from server:

id=20085 trace_id=213 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

203.160.224.97:80->192.168.11.59:31925) from port6."

Match existing session in reply direction:

id=20085 trace_id=213 func=resolve_ip_tuple_fast

line=2727 msg="Find an existing session, id-00000e90,

reply direction"

Apply destination NAT to inverse source NAT action:

id=20085 trace_id=213 func=__ip_session_run_tuple

line=1516 msg="DNAT 192.168.11.59:31925-

>192.168.3.221:1487"

Sample output: IPsec (policy-based)

id=20085 trace_id=1 msg="vd-root received a packet(proto=1, 10.72.55.240:1->10.71.55.10:8) from internal."

id=20085 trace_id=1 msg="allocate a new session-00001cd3"

id=20085 trace_id=1 msg="find a route: gw-66.236.56.230 via wan1"

id=20085 trace_id=1 msg="Allowed by Policy-2: encrypt"

id=20085 trace_id=1 msg="enter IPsec tunnel-RemotePhase1"

id=20085 trace_id=1 msg="encrypted, and send to 15.215.225.22 with source 66.236.56.226"

id=20085 trace_id=1 msg="send to 66.236.56.230 via intf-wan1“

id=20085 trace_id=2 msg="vd-root received a packet (proto=1, 10.72.55.240:1-1071.55.10:8) from internal."

id=20085 trace_id=2 msg="Find an existing session, id-00001cd3, original direction"

id=20085 trace_id=2 msg="enter IPsec ="encrypted, and send to 15.215.225.22 with source 66.236.56.226“ tunnel-RemotePhase1"

id=20085 trace_id=2 msgid=20085 trace_id=2 msg="send to 66.236.56.230 via intf-wan1"

Debugging the packet flow

Debug the packet flow when network traffic is not entering and leaving the FortiGate as expected. Debugging the packet flow can only be done in the CLI. Each command configures a part of the debug action. The final commands starts the debug.

To trace the packet flow in the CLI:

diagnose debug flow trace start

To follow packet flow by setting a flow filter:

diagnose debug flow {filter | filter6} <option>

  • Enter filter if your network uses IPv4.

  • Enter filter6 if your network uses IPv6.

Replace <option> with one of the following variables:

Variable

Description

addr

IPv4 or IPv6 address

clear

clear filter

daddr

destination IPv4 or IPv6 address

dport

destination port

negate

inverse IPv4 or IPv6 filter

port

port

proto

protocol number

saddr

source address

sport

source port

vd

index of virtual domain; -1 matches all

Caution

If FortiGate is connected to FortiAnalyzer or FortiCloud, the diagnose debug flow output will be recorded as event log messages and then sent to the devices. Do not run this command longer than necessary, as it generates a significant amount of data.

Caution

FortiASIC NP4 or NP6 interface pairs that offload traffic will change the packet flow. Before debugging any NP4 or NP6 interfaces, disable offloading on those interfaces.

To do this, enter diagnose npu <interface pair> fastpath disable, where interface pair is np4, np6, np4lite, or np6lite.

To start flow monitoring with a specific number of packets:

diagnose debug flow trace start <N>

To stop flow tracing at any time:

diagnose debug flow trace stop

The following example shows the flow trace for a device with an IP address of 203.160.224.97:

diagnose debug enable

diagnose debug flow filter addr 203.160.224.97

diagnose debug flow show function-name enable

diagnose debug flow trace start 100

Sample output: HTTP

To observe the debug flow trace, connect to the website at the following address:

https://www.fortinet.com

Comment: SYN packet received:

id=20085 trace_id=209 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

SYN sent and a new session is allocated:

id=20085 trace_id=209 func=resolve_ip_tuple line=2799

msg="allocate a new session-00000e90"

Lookup for next-hop gateway address:

id=20085 trace_id=209 func=vf_ip4_route_input line=1543

msg="find a route: gw-192.168.11.254 via port6"

Source NAT, lookup next available port:

id=20085 trace_id=209 func=get_new_addr line=1219

msg="find SNAT: IP-192.168.11.59, port-31925"

direction“

Matched security policy. Check to see which policy this session matches:

id=20085 trace_id=209 func=fw_forward_handler line=317

msg="Allowed by Policy-3: SNAT"

Apply source NAT:

id=20085 trace_id=209 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

SYN ACK received:

id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2700

msg="vd-root received a packet(proto=6, 203.160.224.97:80-

>192.168.11.59:31925) from port6."

Found existing session ID. Identified as the reply direction:

id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2727

msg="Find an existing session, id-00000e90, reply direction"

Apply destination NAT to inverse source NAT action:

id=20085 trace_id=210 func=__ip_session_run_tuple

line=1516 msg="DNAT 192.168.11.59:31925-

>192.168.3.221:1487"

Lookup for next-hop gateway address for reply traffic:

id=20085 trace_id=210 func=vf_ip4_route_input line=1543

msg="find a route: gw-192.168.3.221 via port5"

ACK received:

id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2700

msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:

id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2727

msg="Find an existing session, id-00000e90, original

direction"

Apply source NAT:

id=20085 trace_id=211 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from client:

id=20085 trace_id=212 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:

id=20085 trace_id=212 func=resolve_ip_tuple_fast

line=2727 msg="Find an existing session, id-00000e90,

original direction"

Apply source NAT:

id=20085 trace_id=212 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from server:

id=20085 trace_id=213 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

203.160.224.97:80->192.168.11.59:31925) from port6."

Match existing session in reply direction:

id=20085 trace_id=213 func=resolve_ip_tuple_fast

line=2727 msg="Find an existing session, id-00000e90,

reply direction"

Apply destination NAT to inverse source NAT action:

id=20085 trace_id=213 func=__ip_session_run_tuple

line=1516 msg="DNAT 192.168.11.59:31925-

>192.168.3.221:1487"

Sample output: IPsec (policy-based)

id=20085 trace_id=1 msg="vd-root received a packet(proto=1, 10.72.55.240:1->10.71.55.10:8) from internal."

id=20085 trace_id=1 msg="allocate a new session-00001cd3"

id=20085 trace_id=1 msg="find a route: gw-66.236.56.230 via wan1"

id=20085 trace_id=1 msg="Allowed by Policy-2: encrypt"

id=20085 trace_id=1 msg="enter IPsec tunnel-RemotePhase1"

id=20085 trace_id=1 msg="encrypted, and send to 15.215.225.22 with source 66.236.56.226"

id=20085 trace_id=1 msg="send to 66.236.56.230 via intf-wan1“

id=20085 trace_id=2 msg="vd-root received a packet (proto=1, 10.72.55.240:1-1071.55.10:8) from internal."

id=20085 trace_id=2 msg="Find an existing session, id-00001cd3, original direction"

id=20085 trace_id=2 msg="enter IPsec ="encrypted, and send to 15.215.225.22 with source 66.236.56.226“ tunnel-RemotePhase1"

id=20085 trace_id=2 msgid=20085 trace_id=2 msg="send to 66.236.56.230 via intf-wan1"