Fortinet white logo
Fortinet white logo

CLI Reference

debug flow trace

debug flow trace

Use this command to trace the flow of packets through the FortiWeb appliance’s processing modules and network stack.

Before you will be able to see any debug logs, you must first enable debug log output using the command debug.

To use this command, your administrator account’s access control profile requires only r permission in any profile area. For details, see Permissions.

Syntax

diagnose debug flow trace {start | stop}

Variable Description Default

trace {start | stop}

Select whether to enable (start) or disable (stop) the recording of packet flow trace debug log messages. No default.

Example

This example configures a filter based on the packet destination IP 192.0.2.48, enables messages from each packet processing module, enables packet flow traces, then finally begins generating the debug logs that are enabled for output (in this case, only packet trace debug logs).

Because the filters are configured before debug logging is enabled, the administrator can type the filter without being interrupted by debug log output to the CLI.

diagnose debug flow filter server-ip 192.0.2.48

diagnose debug flow filter module-detail status on

diagnose debug flow trace start

diagnose debug enable

Output:

FortiWeb # session_id=251 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.225:49428"

session_id=251 packet_id=0 msg="HTTP parsing client packet success"

session_id=251 packet_id=0 policy_name="policy1" msg="

Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT

Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:0, Action:ACCEPT

Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_BRUCE_FORCE_LOGIN, Execution:3, Process error:0, Action:ACCEPT

Module name:HTTP_CONSTRAINTS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT

Module name:ROBOT_CONTROL_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT

Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_SIG_DETECT_PROCESS, Execution:4, Process error:1, Action:ACCEPT

Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT

"

session_id=502 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.225:49429"

session_id=502 packet_id=0 msg="HTTP parsing client packet success"

session_id=502 packet_id=0 policy_name="policy1" msg="

Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT

Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:1, Action:ACCEPT

Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_BRUCE_FORCE_LOGIN, Execution:1, Process error:0, Action:ACCEPT

Module name:HTTP_CONSTRAINTS, Execution:1, Process error:0, Action:ACCEPT

Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT

Module name:ROBOT_CONTROL_PROCESS, Execution:1, Process error:0, Action:ACCEPT

Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:1, Process error:0, Action:ACCEPT

Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT

Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_SIG_DETECT_PROCESS, Execution:1, Process error:0, Action:ACCEPT

Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT

"

session_id=0 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47368"

session_id=1 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:59682"

session_id=252 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47376"

session_id=503 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:59687"

session_id=754 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47382"

session_id=2 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47385"

session_id=253 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47387"

diag debug disable

FortiWeb #

Session lines contain the name of the matching server policy (policy_name), the packet identifier (packet_ID), and TCP session ID (session_id), as well as a log message (msg) indicating one or more of the following:

  • The source IP address and port number of the packet (e.g. Receive packet from client 192.0.2.225:49428)
  • The success or failure of FortiWeb’s HTTP parser’s attempt to analyze the HTTP headers and payload of the packet into pieces that can be scanned or modified by modules (e.g. HTTP parsing client packet success or Packet dropped by detection module,and module number=11)
If the debug logs indicate that the HTTP protocol parser may be encountering an error condition, you can temporarily disable it and allow packets to bypass it to verify if this is the case. For details, see noparse {enable | disable}.

If enabled, module lines contain messages from each FortiWeb feature module as it processes the packet (e.g. Module name:WAF_PROTECTED_SERVER_CHECK for the feature that tests for an allowed Host: name in the request). The module logs are displayed in their order of execution; for details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

These messages indicate:

  • Whether or not the module executed, and if not, the reason (e.g. Execution:1)
  • Processing errors, if any (e.g. Process error:0)
  • Whether a module has allowed or blocked the packet (e.g. Action:ACCEPT or Action:FOLLOWUP_ACCEP)

For non-execution reasons, possible status codes are:

  • Execution:1—The module is disabled, and therefore is being skipped.
  • Execution:2—The module is not supported in the current deployment mode, and therefore is being skipped.
  • Execution:3—The client IP address is allowlisted, and therefore the module is being skipped.
  • Execution:4—URL access policy has caused the module to be skipped.

Related topics

debug flow trace

debug flow trace

Use this command to trace the flow of packets through the FortiWeb appliance’s processing modules and network stack.

Before you will be able to see any debug logs, you must first enable debug log output using the command debug.

To use this command, your administrator account’s access control profile requires only r permission in any profile area. For details, see Permissions.

Syntax

diagnose debug flow trace {start | stop}

Variable Description Default

trace {start | stop}

Select whether to enable (start) or disable (stop) the recording of packet flow trace debug log messages. No default.

Example

This example configures a filter based on the packet destination IP 192.0.2.48, enables messages from each packet processing module, enables packet flow traces, then finally begins generating the debug logs that are enabled for output (in this case, only packet trace debug logs).

Because the filters are configured before debug logging is enabled, the administrator can type the filter without being interrupted by debug log output to the CLI.

diagnose debug flow filter server-ip 192.0.2.48

diagnose debug flow filter module-detail status on

diagnose debug flow trace start

diagnose debug enable

Output:

FortiWeb # session_id=251 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.225:49428"

session_id=251 packet_id=0 msg="HTTP parsing client packet success"

session_id=251 packet_id=0 policy_name="policy1" msg="

Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT

Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:0, Action:ACCEPT

Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_BRUCE_FORCE_LOGIN, Execution:3, Process error:0, Action:ACCEPT

Module name:HTTP_CONSTRAINTS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT

Module name:ROBOT_CONTROL_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT

Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_SIG_DETECT_PROCESS, Execution:4, Process error:1, Action:ACCEPT

Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT

"

session_id=502 packet_id=0 policy_name=policy1 msg="Receive packet from client 172.20.120.225:49429"

session_id=502 packet_id=0 msg="HTTP parsing client packet success"

session_id=502 packet_id=0 policy_name="policy1" msg="

Module name:WAF_IP_LIST_CHECK, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_X_FORWARD_FOR_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_GEO_BLOCK_LIST, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_PROTECTED_SERVER_CHECK, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_ALLOW_METHOD_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_ACTIVE_SCRIPT, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_SESSION_MANAGEMENT, Execution:4, Process error:1, Action:ACCEPT

Module name:WAF_HTTP_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_LAYER4_DOS_PREVENTION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_AUTHENTICATION, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_GLOBAL_ALLOW_LIST, Execution:4, Process error:1, Action:ACCEPT

Module name:WAF_URL_ACCESS_POLICY, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_BRUCE_FORCE_LOGIN, Execution:1, Process error:0, Action:ACCEPT

Module name:HTTP_CONSTRAINTS, Execution:1, Process error:0, Action:ACCEPT

Module name:WAF_COOKIE_POISON, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_FILE_UPLOAD_RESTRICTION_POLICY, Execution:3, Process error:0, Action:ACCEPT

Module name:ROBOT_CONTROL_PROCESS, Execution:1, Process error:0, Action:ACCEPT

Module name:WAF_PARAMETWER_VALIDATION_PROCESS, Execution:1, Process error:0, Action:ACCEPT

Module name:WAF_CHUNK_DECODE, Execution:3, Process error:2, Action:ACCEPT

Module name:WAF_FILE_UNCOMPRESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_SIG_DETECT_PROCESS, Execution:1, Process error:0, Action:ACCEPT

Module name:WAF_HIDDEN_FIELD_PROCESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_URL_REWRITING, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_FILE_COMPRESS, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_CERTIFICATE_FORWARD, Execution:3, Process error:0, Action:ACCEPT

Module name:WAF_AUTOLEARN, Execution:4, Process error:0, Action:ACCEPT

Module name:WAF_HTTP_STATISTIC, Execution:3, Process error:0, Action:ACCEPT

"

session_id=0 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47368"

session_id=1 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:59682"

session_id=252 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47376"

session_id=503 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:59687"

session_id=754 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47382"

session_id=2 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47385"

session_id=253 packet_id=0 policy_name=policy1 msg="Receive packet from client 192.0.2.48:47387"

diag debug disable

FortiWeb #

Session lines contain the name of the matching server policy (policy_name), the packet identifier (packet_ID), and TCP session ID (session_id), as well as a log message (msg) indicating one or more of the following:

  • The source IP address and port number of the packet (e.g. Receive packet from client 192.0.2.225:49428)
  • The success or failure of FortiWeb’s HTTP parser’s attempt to analyze the HTTP headers and payload of the packet into pieces that can be scanned or modified by modules (e.g. HTTP parsing client packet success or Packet dropped by detection module,and module number=11)
If the debug logs indicate that the HTTP protocol parser may be encountering an error condition, you can temporarily disable it and allow packets to bypass it to verify if this is the case. For details, see noparse {enable | disable}.

If enabled, module lines contain messages from each FortiWeb feature module as it processes the packet (e.g. Module name:WAF_PROTECTED_SERVER_CHECK for the feature that tests for an allowed Host: name in the request). The module logs are displayed in their order of execution; for details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

These messages indicate:

  • Whether or not the module executed, and if not, the reason (e.g. Execution:1)
  • Processing errors, if any (e.g. Process error:0)
  • Whether a module has allowed or blocked the packet (e.g. Action:ACCEPT or Action:FOLLOWUP_ACCEP)

For non-execution reasons, possible status codes are:

  • Execution:1—The module is disabled, and therefore is being skipped.
  • Execution:2—The module is not supported in the current deployment mode, and therefore is being skipped.
  • Execution:3—The client IP address is allowlisted, and therefore the module is being skipped.
  • Execution:4—URL access policy has caused the module to be skipped.

Related topics