Fortinet black logo

CLI Reference

debug flow filter

debug flow filter

Use these commands to generate only packet flow debug logs that match your filter criteria, such as a specific destination IP address. You can also use these commands to delete the packet flow debug log filter, so that all packet flow debug logs are generated.

Before you will be able to see any debug logs, you must first enable debug log output using the command debug.

To use this command, your administrator account’s access control profile requires only r permission in any profile area. For details, see Permissions.

Syntax

diagnose debug flow filter reset

diagnose debug flow filter client-ip <source_ipv4 | source_ipv6>

client-ip <source_ipv4 | source_ipv6>

diagnose debug flow filter server-ip <destination_ipv4 | destination_ipv6>


Variable Description Default

client-ip <source_ipv4 | source_ipv6>

Enter the source (SRC) IP address of connections. This will generate only packet flow debug log messages involving that source IP address.

Note: This filter operates at the IP layer, not the HTTP layer.

If a load balancer or other web proxy is deployed in front of FortiWeb, and therefore all connections for HTTP requests appear to originate from this IP address, configuring this filter will have no effect.

Similarly, if multiple clients share an Internet connection via NAT or explicit web proxy, configuring this filter will only isolate connections that share this IP address. It will not be able to filter out a single client based on individual HTTP sessions from that IP.

No default.

server-ip <destination_ipv4 | destination_ipv6>

Enter the destination (DST) IP address of the connection, either the:

  • Virtual server on FortiWeb (if FortiWeb is operating in Reverse Proxy mode)
  • Protected web server on the back end (all other operation modes)

This will generate only packet flow debug log messages involving that server IP address.

No default.

Related topics

debug flow filter

Use these commands to generate only packet flow debug logs that match your filter criteria, such as a specific destination IP address. You can also use these commands to delete the packet flow debug log filter, so that all packet flow debug logs are generated.

Before you will be able to see any debug logs, you must first enable debug log output using the command debug.

To use this command, your administrator account’s access control profile requires only r permission in any profile area. For details, see Permissions.

Syntax

diagnose debug flow filter reset

diagnose debug flow filter client-ip <source_ipv4 | source_ipv6>

client-ip <source_ipv4 | source_ipv6>

diagnose debug flow filter server-ip <destination_ipv4 | destination_ipv6>


Variable Description Default

client-ip <source_ipv4 | source_ipv6>

Enter the source (SRC) IP address of connections. This will generate only packet flow debug log messages involving that source IP address.

Note: This filter operates at the IP layer, not the HTTP layer.

If a load balancer or other web proxy is deployed in front of FortiWeb, and therefore all connections for HTTP requests appear to originate from this IP address, configuring this filter will have no effect.

Similarly, if multiple clients share an Internet connection via NAT or explicit web proxy, configuring this filter will only isolate connections that share this IP address. It will not be able to filter out a single client based on individual HTTP sessions from that IP.

No default.

server-ip <destination_ipv4 | destination_ipv6>

Enter the destination (DST) IP address of the connection, either the:

  • Virtual server on FortiWeb (if FortiWeb is operating in Reverse Proxy mode)
  • Protected web server on the back end (all other operation modes)

This will generate only packet flow debug log messages involving that server IP address.

No default.

Related topics