Debugging the packet flow

Debug the packet flow when network traffic is not entering and leaving the FortiGate as expected. Debugging the packet flow can only be done in the CLI. Each command configures a part of the debug action. The final commands starts the debug.

To trace the packet flow in the CLI:

# diagnose debug flow trace start

To follow packet flow by setting a flow filter:

# diagnose debug flow {filter | filter6} <option>

  • Enter filter if your network uses IPv4.

  • Enter filter6 if your network uses IPv6.

Replace <option> with one of the following variables:




IPv4 or IPv6 address


clear filter


destination IPv4 or IPv6 address