Fortinet black logo

CLI Reference

debug flow filter module-detail

debug flow filter module-detail

Use this command to include or exclude debug logs from each FortiWeb feature module as the packet is processed when generating packet flow debug logs. This can be useful if you suspect that a module is encountering errors, or need to know which module is dropping the packet.

You can also specify a source or destination IP address to include or exclude debug logs from one FortiWeb module involving the IP address.

To use this command, your administrator account’s access control profile requires only r permission in any profile area. For details, see Permissions.

Syntax

diagnose debug flow filter module-detail status {on | off}

diagnose debug flow filter module-detail module {all | x-forworded-for | ip-list | ip-reputation | quarant-ip | known-engine | geo-block | ...| url-rewriting}

diagnose debug flow filter module-detail client-ip <source_ipv4 | source_ipv6>

client-ip <source_ipv4 | source_ipv6>

diagnose debug flow filter module-detail server-ip <destination_ipv4 | destination_ipv6>

Variable Description Default

status {on | off}

Select whether to include (on) or exclude (off) details from each module that processes the packet. off

module {all | x-forworded-for | ip-list | ip-reputation | quarant-ip | known-engine | geo-block | ...| url-rewriting}

Select the name of module that needs to be traced (separated by space) or select all for all modules.

Available only when status {on | off} is on.

No default.

client-ip <source_ipv4 | source_ipv6>

Enter the source (SRC) IP address of connections. This will generate only packet flow debug log messages involving that source IP address.

Note: This filter operates at the IP layer, not the HTTP layer.

If a load balancer or other web proxy is deployed in front of FortiWeb, and therefore all connections for HTTP requests appear to originate from this IP address, configuring this filter will have no effect.

Similarly, if multiple clients share an Internet connection via NAT or explicit web proxy, configuring this filter will only isolate connections that share this IP address. It will not be able to filter out a single client based on individual HTTP sessions from that IP.

No default.

server-ip <destination_ipv4 | destination_ipv6>

Enter the destination (DST) IP address of the connection, either the:

  • Virtual server on FortiWeb (if FortiWeb is operating in Reverse Proxy mode)
  • Protected web server on the back end (all other operation modes)

This will generate only packet flow debug log messages involving that server IP address.

No default.

Related topics

debug flow filter module-detail

Use this command to include or exclude debug logs from each FortiWeb feature module as the packet is processed when generating packet flow debug logs. This can be useful if you suspect that a module is encountering errors, or need to know which module is dropping the packet.

You can also specify a source or destination IP address to include or exclude debug logs from one FortiWeb module involving the IP address.

To use this command, your administrator account’s access control profile requires only r permission in any profile area. For details, see Permissions.

Syntax

diagnose debug flow filter module-detail status {on | off}

diagnose debug flow filter module-detail module {all | x-forworded-for | ip-list | ip-reputation | quarant-ip | known-engine | geo-block | ...| url-rewriting}

diagnose debug flow filter module-detail client-ip <source_ipv4 | source_ipv6>

client-ip <source_ipv4 | source_ipv6>

diagnose debug flow filter module-detail server-ip <destination_ipv4 | destination_ipv6>

Variable Description Default

status {on | off}

Select whether to include (on) or exclude (off) details from each module that processes the packet. off

module {all | x-forworded-for | ip-list | ip-reputation | quarant-ip | known-engine | geo-block | ...| url-rewriting}

Select the name of module that needs to be traced (separated by space) or select all for all modules.

Available only when status {on | off} is on.

No default.

client-ip <source_ipv4 | source_ipv6>

Enter the source (SRC) IP address of connections. This will generate only packet flow debug log messages involving that source IP address.

Note: This filter operates at the IP layer, not the HTTP layer.

If a load balancer or other web proxy is deployed in front of FortiWeb, and therefore all connections for HTTP requests appear to originate from this IP address, configuring this filter will have no effect.

Similarly, if multiple clients share an Internet connection via NAT or explicit web proxy, configuring this filter will only isolate connections that share this IP address. It will not be able to filter out a single client based on individual HTTP sessions from that IP.

No default.

server-ip <destination_ipv4 | destination_ipv6>

Enter the destination (DST) IP address of the connection, either the:

  • Virtual server on FortiWeb (if FortiWeb is operating in Reverse Proxy mode)
  • Protected web server on the back end (all other operation modes)

This will generate only packet flow debug log messages involving that server IP address.

No default.

Related topics