Fortinet white logo
Fortinet white logo

Administration Guide

Debugging the packet flow

Debugging the packet flow

Debug the packet flow when network traffic is not entering and leaving the FortiGate as expected. When debugging the packet flow in the CLI, each command configures a part of the debug action. The final command starts the debug.

For information about using the debug flow tool in the GUI, see Using the debug flow tool.

To trace the packet flow in the CLI:

# diagnose debug flow trace start

To follow packet flow by setting a flow filter:

# diagnose debug flow {filter | filter6} <option>

  • Enter filter if your network uses IPv4.

  • Enter filter6 if your network uses IPv6.

Replace <option> with one of the following variables:

Variable

Description

addr

IPv4 or IPv6 address

clear

clear filter

daddr

destination IPv4 or IPv6 address

dport

destination port

negate

inverse IPv4 or IPv6 filter

port

port

proto

protocol number

saddr

source address

sport

source port

vd

index of virtual domain; -1 matches all

Caution

If FortiGate is connected to FortiAnalyzer or FortiCloud, the diagnose debug flow output will be recorded as event log messages and then sent to the devices. Do not run this command longer than necessary, as it generates a significant amount of data.

Caution

Flow monitoring does not work for traffic offloaded to NP6 or NP7 processors. To use the diagnose debug flow commands with sessions offloaded to NP6 or NP7 processors you can test the traffic flow using ICMP (ICMP traffic is not offloaded) or you can disable NP6 or NP7 offloading.

You can use the following command to temporarily disable NP6 offloading of all traffic:

diagnose npu {np6 | np6xlite | np6lite} fastpath disable

You must disable NP7 offloading in the firewall policy that accepts the traffic that you are tracing, see Tracing packet flow on FortiGates with NP7 processors.

You can also use the NP7 packet sniffer to sniff NP7 offloaded traffic without disabling NP7 offloading, see NP7 packet sniffer.

To start flow monitoring with a specific number of packets:

# diagnose debug flow trace start <N>

To stop flow tracing at any time:

# diagnose debug flow trace stop

The following example shows the flow trace for a device with an IP address of 203.160.224.97:

# diagnose debug enable

# diagnose debug flow filter addr 203.160.224.97

# diagnose debug flow show function-name enable

# diagnose debug flow trace start 100

Sample output: HTTP

To observe the debug flow trace, connect to the website at the following address:

https://www.fortinet.com

Comment: SYN packet received:

id=20085 trace_id=209 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

SYN sent and a new session is allocated:

id=20085 trace_id=209 func=resolve_ip_tuple line=2799

msg="allocate a new session-00000e90"

Lookup for next-hop gateway address:

id=20085 trace_id=209 func=vf_ip4_route_input line=1543

msg="find a route: gw-192.168.11.254 via port6"

Source NAT, lookup next available port:

id=20085 trace_id=209 func=get_new_addr line=1219

msg="find SNAT: IP-192.168.11.59, port-31925"

direction“

Matched security policy. Check to see which policy this session matches:

id=20085 trace_id=209 func=fw_forward_handler line=317

msg="Allowed by Policy-3: SNAT"

Apply source NAT:

id=20085 trace_id=209 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

SYN ACK received:

id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2700

msg="vd-root received a packet(proto=6, 203.160.224.97:80-

>192.168.11.59:31925) from port6."

Found existing session ID. Identified as the reply direction:

id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2727

msg="Find an existing session, id-00000e90, reply direction"

Apply destination NAT to inverse source NAT action:

id=20085 trace_id=210 func=__ip_session_run_tuple

line=1516 msg="DNAT 192.168.11.59:31925-

>192.168.3.221:1487"

Lookup for next-hop gateway address for reply traffic:

id=20085 trace_id=210 func=vf_ip4_route_input line=1543

msg="find a route: gw-192.168.3.221 via port5"

ACK received:

id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2700

msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:

id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2727

msg="Find an existing session, id-00000e90, original

direction"

Apply source NAT:

id=20085 trace_id=211 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from client:

id=20085 trace_id=212 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:

id=20085 trace_id=212 func=resolve_ip_tuple_fast

line=2727 msg="Find an existing session, id-00000e90,

original direction"

Apply source NAT:

id=20085 trace_id=212 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from server:

id=20085 trace_id=213 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

203.160.224.97:80->192.168.11.59:31925) from port6."

Match existing session in reply direction:

id=20085 trace_id=213 func=resolve_ip_tuple_fast

line=2727 msg="Find an existing session, id-00000e90,

reply direction"

Apply destination NAT to inverse source NAT action:

id=20085 trace_id=213 func=__ip_session_run_tuple

line=1516 msg="DNAT 192.168.11.59:31925-

>192.168.3.221:1487"

Sample output: IPsec (policy-based)

id=20085 trace_id=1 msg="vd-root received a packet(proto=1, 10.72.55.240:1->10.71.55.10:8) from internal."

id=20085 trace_id=1 msg="allocate a new session-00001cd3"

id=20085 trace_id=1 msg="find a route: gw-66.236.56.230 via wan1"

id=20085 trace_id=1 msg="Allowed by Policy-2: encrypt"

id=20085 trace_id=1 msg="enter IPsec tunnel-RemotePhase1"

id=20085 trace_id=1 msg="encrypted, and send to 15.215.225.22 with source 66.236.56.226"

id=20085 trace_id=1 msg="send to 66.236.56.230 via intf-wan1“

id=20085 trace_id=2 msg="vd-root received a packet (proto=1, 10.72.55.240:1-1071.55.10:8) from internal."

id=20085 trace_id=2 msg="Find an existing session, id-00001cd3, original direction"

id=20085 trace_id=2 msg="enter IPsec ="encrypted, and send to 15.215.225.22 with source 66.236.56.226“ tunnel-RemotePhase1"

id=20085 trace_id=2 msgid=20085 trace_id=2 msg="send to 66.236.56.230 via intf-wan1"

Debugging the packet flow

Debugging the packet flow

Debug the packet flow when network traffic is not entering and leaving the FortiGate as expected. When debugging the packet flow in the CLI, each command configures a part of the debug action. The final command starts the debug.

For information about using the debug flow tool in the GUI, see Using the debug flow tool.

To trace the packet flow in the CLI:

# diagnose debug flow trace start

To follow packet flow by setting a flow filter:

# diagnose debug flow {filter | filter6} <option>

  • Enter filter if your network uses IPv4.

  • Enter filter6 if your network uses IPv6.

Replace <option> with one of the following variables:

Variable

Description

addr

IPv4 or IPv6 address

clear

clear filter

daddr

destination IPv4 or IPv6 address

dport

destination port

negate

inverse IPv4 or IPv6 filter

port

port

proto

protocol number

saddr

source address

sport

source port

vd

index of virtual domain; -1 matches all

Caution

If FortiGate is connected to FortiAnalyzer or FortiCloud, the diagnose debug flow output will be recorded as event log messages and then sent to the devices. Do not run this command longer than necessary, as it generates a significant amount of data.

Caution

Flow monitoring does not work for traffic offloaded to NP6 or NP7 processors. To use the diagnose debug flow commands with sessions offloaded to NP6 or NP7 processors you can test the traffic flow using ICMP (ICMP traffic is not offloaded) or you can disable NP6 or NP7 offloading.

You can use the following command to temporarily disable NP6 offloading of all traffic:

diagnose npu {np6 | np6xlite | np6lite} fastpath disable

You must disable NP7 offloading in the firewall policy that accepts the traffic that you are tracing, see Tracing packet flow on FortiGates with NP7 processors.

You can also use the NP7 packet sniffer to sniff NP7 offloaded traffic without disabling NP7 offloading, see NP7 packet sniffer.

To start flow monitoring with a specific number of packets:

# diagnose debug flow trace start <N>

To stop flow tracing at any time:

# diagnose debug flow trace stop

The following example shows the flow trace for a device with an IP address of 203.160.224.97:

# diagnose debug enable

# diagnose debug flow filter addr 203.160.224.97

# diagnose debug flow show function-name enable

# diagnose debug flow trace start 100

Sample output: HTTP

To observe the debug flow trace, connect to the website at the following address:

https://www.fortinet.com

Comment: SYN packet received:

id=20085 trace_id=209 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

SYN sent and a new session is allocated:

id=20085 trace_id=209 func=resolve_ip_tuple line=2799

msg="allocate a new session-00000e90"

Lookup for next-hop gateway address:

id=20085 trace_id=209 func=vf_ip4_route_input line=1543

msg="find a route: gw-192.168.11.254 via port6"

Source NAT, lookup next available port:

id=20085 trace_id=209 func=get_new_addr line=1219

msg="find SNAT: IP-192.168.11.59, port-31925"

direction“

Matched security policy. Check to see which policy this session matches:

id=20085 trace_id=209 func=fw_forward_handler line=317

msg="Allowed by Policy-3: SNAT"

Apply source NAT:

id=20085 trace_id=209 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

SYN ACK received:

id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2700

msg="vd-root received a packet(proto=6, 203.160.224.97:80-

>192.168.11.59:31925) from port6."

Found existing session ID. Identified as the reply direction:

id=20085 trace_id=210 func=resolve_ip_tuple_fast line=2727

msg="Find an existing session, id-00000e90, reply direction"

Apply destination NAT to inverse source NAT action:

id=20085 trace_id=210 func=__ip_session_run_tuple

line=1516 msg="DNAT 192.168.11.59:31925-

>192.168.3.221:1487"

Lookup for next-hop gateway address for reply traffic:

id=20085 trace_id=210 func=vf_ip4_route_input line=1543

msg="find a route: gw-192.168.3.221 via port5"

ACK received:

id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2700

msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:

id=20085 trace_id=211 func=resolve_ip_tuple_fast line=2727

msg="Find an existing session, id-00000e90, original

direction"

Apply source NAT:

id=20085 trace_id=211 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from client:

id=20085 trace_id=212 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

192.168.3.221:1487->203.160.224.97:80) from port5."

Match existing session in the original direction:

id=20085 trace_id=212 func=resolve_ip_tuple_fast

line=2727 msg="Find an existing session, id-00000e90,

original direction"

Apply source NAT:

id=20085 trace_id=212 func=__ip_session_run_tuple

line=1502 msg="SNAT 192.168.3.221->192.168.11.59:31925"

Receive data from server:

id=20085 trace_id=213 func=resolve_ip_tuple_fast

line=2700 msg="vd-root received a packet(proto=6,

203.160.224.97:80->192.168.11.59:31925) from port6."

Match existing session in reply direction:

id=20085 trace_id=213 func=resolve_ip_tuple_fast

line=2727 msg="Find an existing session, id-00000e90,

reply direction"

Apply destination NAT to inverse source NAT action:

id=20085 trace_id=213 func=__ip_session_run_tuple

line=1516 msg="DNAT 192.168.11.59:31925-

>192.168.3.221:1487"

Sample output: IPsec (policy-based)

id=20085 trace_id=1 msg="vd-root received a packet(proto=1, 10.72.55.240:1->10.71.55.10:8) from internal."

id=20085 trace_id=1 msg="allocate a new session-00001cd3"

id=20085 trace_id=1 msg="find a route: gw-66.236.56.230 via wan1"

id=20085 trace_id=1 msg="Allowed by Policy-2: encrypt"

id=20085 trace_id=1 msg="enter IPsec tunnel-RemotePhase1"

id=20085 trace_id=1 msg="encrypted, and send to 15.215.225.22 with source 66.236.56.226"

id=20085 trace_id=1 msg="send to 66.236.56.230 via intf-wan1“

id=20085 trace_id=2 msg="vd-root received a packet (proto=1, 10.72.55.240:1-1071.55.10:8) from internal."

id=20085 trace_id=2 msg="Find an existing session, id-00001cd3, original direction"

id=20085 trace_id=2 msg="enter IPsec ="encrypted, and send to 15.215.225.22 with source 66.236.56.226“ tunnel-RemotePhase1"

id=20085 trace_id=2 msgid=20085 trace_id=2 msg="send to 66.236.56.230 via intf-wan1"